Estimated Reading Time: 8 minutes
To say that the security climate on the Internet is a precarious one these days, would be an understatement.
According to one recent study conducted by the University of Maryland, a security incident online now occurs at an average rate of once every 39 seconds and affects one in three Americans every year. Another study revealed that about 64% of all companies have experienced web-based attacks, and roughly 43% of those were small businesses. Juniper Research even predicts that the average cost of just a single data breach incident will balloon to $150 million (or more) by as soon as 2020.
Thankfully, there are a wide range of technologies that network administrators and security professionals can employ to keep users (and networks) safe from cyber threats. DNS filtering is one of the most common and effective of those. Depending on the specifics of the implementation, DNS filtering provides advanced network configuration controls for parental controls and safety online. Additionally, it delivers protection from threats such as phishing attacks, malware, ransomware, botnets, and more. In combination with web content categorization, DNS filtering is a powerful resource for communications providers, ISPs, MSPs, CASBs, and more.
The purpose of this blog is to provide you with a basic working knowledge of how DNS filtering contributes to a strong security foundation. We’ll cover DNS basics, general information about configuration and customization, as well as the advantages, limitations, and steps beyond standard DNS filtering.
What is DNS Filtering? Breaking It Down in Simple Terms.
At its core, DNS filtering (or Domain Name System filtering without the acronym) is a technique that is used to restrict or block access to certain websites or “domains”. In this way—based on implementation—DNS filtering provides protections in an effort to create a safer, more productive working environment on the Internet. DNS filtering also has other uses and can works with protocols such as ftp and smtp, but for the purposes of this article, we’ll focus on its application for web filtering specifically.
In simple terms, every web server, website, etc, has an address—or more accurately, an Internet Protocol (or IP) address. All machines (e.g. websites, servers, and web services) have an assigned IP address, which enables our computers to locate and connect to other remote computers and enables the communication that supports our World Wide Web. The Domain Name System works to make it easier for humans to use the internet and removes the requirement for us to remember all of those number-only IP addresses. Rather, the DNS system translates readable alphanumeric names and words into a corresponding IPv4 or IPv6 address. DNS servers are located all over the world, mapping IP addresses to their respective domain names—like a worldwide telephone directory for websites.
So rather than requiring users to remember countless IP addresses for the various sites they want to visit, they can use the domain name instead. For example, thanks to DNS, rather than typing an IPv4 or IPv6 address (for example 220.127.116.11) into your browser’s URL/search bar, you can just type zvelo.com, instead.
DNS filtering effectively allows for advanced network security configurations at the domain level. If you try to visit a website and the domain is found to be malicious—a DNS filtering solution might block or redirect that request to a safe page, depending on its configuration.
There are a variety of additional technologies and methods to bolster a DNS filtering configuration. DNS RPZ, or Response Policy Zones, as well as blocklist feeds are a couple of examples that allow advanced configuration and customization to handle and respond to DNS queries made by end users browsing the internet on your network. In this way, DNS filtering serves as a firewall that can be configured to include domains (from lists, feeds, etc.) as necessary for your network.
Historically, organizations and IT departments implemented DNS filtering and configured DNS settings at the router/gateway level on physical machines residing on-premises. In more recent years, businesses have increasingly outsourced these types of administration efforts, relying on external support form Internet Service Providers (ISPs) and Managed Security Service Providers (MSSPs). Nowadays, you can purchase a premium or enterprise DNS solution, configure your network to process DNS requests through that service, and be up and running with a functional DNS filtering solution in no time. However, before making a significant decision that has the potential to impact your network security and future cyber protection plans—you should understand the advantages, limitations, and details about scaling a standard DNS filtering solution for web filtering.
Regardless, DNS filtering is still one of the most important baseline steps towards building a scalable and secure IT infrastructure and can provide advanced protection for everything from pornography to gambling sites, file sharing to news websites, social media, blog platforms, and more.
The Advantages of DNS Filtering
There are a number of critical advantages that a DNS filtering solution provides. But chief among the advantages is the ability to completely block access to malicious and compromised websites, as well as what would be considered “Objectionable” sites such as those hosting content related to pornography, violence, terrorism, and more.
Secondary advantages make DNS filtering an ideal solution for a wide range of businesses and organization. DNS filtering is lightweight, fast, and scalable and with premium and enterprise-level offerings offers advanced flexibility for policy management and customization. Every organization operates differently and has unique requirements and cultural norms as well as web browsing habits. DNS filtering allows IT teams to support custom-tailored configurations with peace of mind.
As mentioned, the most significant advantage DNS filtering gives organizations is the ability to proactively block access to potentially harmful sites, a critical first layer of security and cyber defense. When we look at common payload delivery methods and points of compromise from the various of threats online (i.e. malware, ransomware, phishing attacks, etc.) we find a glaring common denominator. And that is, good old-fashioned user error. Indeed, your own users making mistakes is the number one cause of the vast majority of the cyber incidents that happen every year.
With DNS filtering in place and the proper configuration and support from feeds provided by trusted cybersecurity companies, you able to put up an important wall of defense. When network traffic and users have restricted access to undesirable websites (particularly malicious and objectionable sites) a number of low-hanging security risks are immediately removed.
On top of that, if you’re a business owner, you get the added benefit of preventing those users from accessing the types of materials that could hinder their productivity or cause offense to others throughout the day (i.e. social media, questionable blogging sites, etc.).
Beyond DNS Filtering: Full Path URL Filtering and More
DNS filtering is a powerful technology, but not without a few limitations and caveats. Because it is based on the Domain Name System, this filtering and protection technology is restricted to operate within those boundaries. DNS filtering by definition is a domain-based protection layer and therefore only works as far down as the domain (or subdomain) level. In other words, it can only offer filtering and protection as far down as the domain (sometimes to referred to as base domain) and subdomain—and cannot achieve visibility beyond at the page-level. For many use cases and requirements that is more than sufficient, even ideal. These include applications like parental controls, brand safety protections, and network restrictions to block content that is NSFW (not safe for work).
For other applications, however, hybrid solutions that can manage filtering at the DNS level as well as identify content and safety at the page, post, or file level (known as full-path) offer significant advantages and critical functionality that typical DNS filtering deployments can not quite accomplish. This means that you cannot distinguish between the webpage and domain that hosts a malicious payload—even if that malicious payload is only one file or on one specific page.
In addition, blocking malicious and objectionable content requires that those sites be previously identified. DNS filtering in itself does not detect and analyze sites to know whether a source should be permitted, redirected, or blocked. Therefore, while DNS filtering provides configuration options and protections that are extremely flexible—it is only as good as the underlying technology that has been implemented to detect, analyze, categorize, and identify malicious and other content-based web content.
If your business or IT team is looking to implement a DNS filtering solution, it would be critical to understand the level of security and granularity offered by your DNS filtering provider. After all, every business is different. What do your employees and network users expect in terms of protection? And what are you to pay for it? Additionally, if you opt for a “security light” vendor, are you ready to pay fines, recompense, or brand reputation losses in the event of a major network or data breach?
Considering that the majority of identified malicious and phishing locations occur at the page level (rather than the domain or subdomain level), it is clear that a hybrid, full-path filtering solution will far exceed the protection levels offered by a domain-based filtering solution offers.
Security and filtering providers like zvelo offer hybrid deployment options that support standard DNS filtering, as well as full-path URL filtering and analysis. This allows an organization to develop and implement advanced solutions that not only support advanced configurations for blocking, redirection, or whitelisting domains, but for full-path content categorization, analysis, malicious detection, traffic analysis, and more. For communications companies, security vendors, and others where security is of primary concern—a scalable and secure infrastructure is critical to scalability, agility, and long-term growth.
Final Thoughts on DNS Filtering Solutions
It’s important to remember and understand that no single cybersecurity solution is 100% effective against the evolving threat landscape that we face. DNS filtering goes a long way towards providing you with critical network infrastructure to protect your internet traffic and users—but also requires a robust strategy as well as trusted security cybersecurity partners, feeds, and other technologies to provide maximum protection. Anti-virus, spam filters, two-factor authentication, and remediation policies are also critical to defending your networks.
All in all, DNS filtering allows organizations to enforce comprehensive, forward-thinking and robust Internet usage policies, blocking access to malicious website content and other threats that could potentially do you harm. You might not be able to prevent yourself from becoming the target of a hacker—but with infrastructure and technologies in place like DNS filtering, you can significantly improve your defenses against known threats and reduce the chances of having your network penetrated by accidental user error.
Click here to learn more about zveloDB, the industry-leading URL Database with over 99.9% ActiveWeb coverage and 99% accuracy and underlying AI-powered categorization engine that powers successful DNS filtering solutions around the world. Or, try it yourself at https://tools.zvelo.com.
If you’re interested in learning more about DNS filtering or zvelo’s cloud-based AI infrastructure, check out some of these supplemental blogs: