Skip to content
TitanHQ

DNS Filtering: The How-To Guide

What is DNS Filtering?

Experts often describe the Domain Name System (DNS) as a phone book for the internet. Every website is connected to a unique address, and the DNS system enables web browsers to translate website URLs into I.P. addresses.

DNS filtering allows organizations to block users from accessing certain websites to:

  • Keep employees from accessing non-productive websites during work hours.
  • Prevent employees from accidentally accessing compromised and malicious websites.

From a cybersecurity perspective, blocking malicious web content is integral to a successful multi-layered security strategy. Compromised and spoofed websites are a standard part of the cybercriminal toolset. 

Preventing users from accessing known malicious websites can dramatically improve your organization's security risk profile. In addition, DNS filtering makes it much harder for cybercriminals to impersonate trusted contacts and execute phishing campaigns.

 

How Does DNS Filtering Work? 

In simple terms, every web server, website, etc., has an address—or, more accurately, an Internet Protocol (or I.P.) address. In addition, all machines (e.g., websites, servers, and web services) have an assigned I.P. address, enabling our computers to locate and connect to other remote computers and the communication that supports our World Wide Web. 

The Domain Name System makes it easier for humans to use the internet and removes the requirement to remember all those number-only I.P. addresses. Instead, the DNS system translates readable alphanumeric names and words into a corresponding IPv4 or IPv6 address. DNS servers are located worldwide, mapping I.P. addresses to their respective domain names—like a worldwide telephone directory for websites.

DNS filters are designed to combat malware, ransomware, spam attacks, child pornography, and other dangerous sites on the web. Since DNS maps website names to I.P. addresses, it acts as an interpreter and roadmap for the internet. Usually, when the browser queries a DNS server, an I.P. address is returned, allowing the browser to open the website at the specific I.P. address.

DNS filtering services use the Domain Name System to block malicious website threats and filter out harmful web content, ensuring that network data remains secure and allowing organizations to control what their staff can access on company-managed networks.

The DNS server filters and blocks the request rather than returning an I.P. address. It is also helpful for organizations that want to protect internal assets by blocking known malicious sites. This function is normally conducted at the router level by blocking I.P. addresses or filtering ports. DNS filtering and DNS filters are powerful and efficient security solution alternatives for those without the luxury of high-end routers.

 

How Does DNS Filtering Software Know Which Websites To Block?

DNS filters must constantly be updated with the latest threat intelligence information to achieve the best results. If a compromised website isn't listed in a DNS filtering database, the filter can't prevent users from accessing it.

Many different threat intelligence services maintain databases of compromised I.P. addresses. Whenever a partnered cybersecurity service identifies malicious activity from a new website, they contribute that information to one of these threat intelligence providers.

DNS filtering solutions are only as reliable as the data they access. High-quality filters with comprehensive databases can catch and block malicious websites faster than others.

The best threat intelligence providers proactively search for evidence of malicious web activity. However, only some providers can offer comprehensive coverage for the entire internet. The best MSP DNS filtering solutions rely on input from many threat intelligence services.

Below is a selection of the partners powering WebTitan's 650 million user threat intelligence database.

 

How Vital Is DNS Filtering In 2023 And Beyond?

DNS remains a vulnerable, highly targeted component for exploits and cyberattacks. For example, cybercriminals can spoof DNS replies, feeding false information that redirects users from legitimate websites to malicious ones.

The sheer size of the internet makes it easy for cybercriminals to create new malicious websites. Thousands of new websites are registered every second, putting pressure on threat intelligence providers to keep up. 

As soon as any security provider detects malicious activity on a newly registered website, cybercriminals can write a new website and continue their attacks.

Due to its critical function within the internet and the enterprise, DNS is a primary target for hackers, so securing it is imperative. An effective DNS security strategy entails not only blocking malicious queries but also servicing good queries as well. 

DNS plays a vital role in a layered network security strategy in which multiple approaches to cyber defense are required. This multi-tiered approach reduces the possibility of a successful hacking attack.

Protect the DNS layer in your organization from advanced threats WebTitan DNS Filter. Book a free demo today and see how it can support your organization.

Book Free Demo

How Does DNS Filtering Fit Into A Comprehensive Security Strategy?

DNS filtering cannot stop every threat. It is a small but essential part of a more extensive security system.

DNS filtering should be an essential component of your network security strategy used alongside port monitoring, intrusion detection systems, intrusion prevention systems, anti-virus, and firewalls. These necessary security layers work cohesively to create a functional and highly effective security protection system.

Compared to sophisticated detection-based systems, DNS filtering offers some clear advantages for security-conscious organizations:

  • Maintaining a successful DNS filtering policy requires fewer resources than many sophisticated detection-based technologies.
  • DNS filtering informed by high-quality threat intelligence providers can protect users from emerging threats before all the details of the threat are known.
  • Modern DNS filtering technologies rarely include false positives.

However, DNS filtering is not without its critics. The approach has its share of disadvantages as well:

  • DNS filters are not bulletproof. Malicious attackers are clever enough to get around it.
  • Users can use proxies to hide their original I.P. and gain access to the DNS-queried IP address.
  • Modification of the DNS protocol could lead to unforeseen security issues and technical bugs.

For more information about DNS filtering myths, visit this recent blog post: 4 Myths about DNS Filtering and some truths.

No system is, of course, bulletproof, and while it is true that cybercriminals are constantly changing domain names, solutions such as WebTitan DNS Filter are highly effective in countering their cloaking efforts. WebTitan DNS filter does this by categorizing an estimated 60,000 malware and spyware domains per day, tracking down dangerous sites, and blocking them. 

A schematic illustrating this process is below :

WebTitan DNS Filter

Examining DNS Structure

The Domain Name System (DNS) was designed to make it convenient for the public to use the internet. As mentioned earlier, it translates domain names to the matching I.P. addresses of the hosted devices. DNS allows us to use https://www.google.com instead of http://74.125.224.72/ to initiate a search. In short, it is the internet's primary directory service. 

The DNS system that services the internet is a distributed system anchored by a collection of root name servers dispersed worldwide. Under the root servers are top-level domains (.com, .org, .net) followed by second-level domains (Google, TitanHQ, Microsoft). 

These domains form DNS zones, which may consist of one or more domains (for example, google.com is a domain). A set of authoritative name servers are assigned to each DNS zone. 

An authoritative name server can be either a primary or a secondary server. A master contains the original read/write copies of zone records, while a secondary maintains only readable copies of the master records that are updated through replication. 

DNS servers use TCP port 53 for zone transfers to keep the secondary synced with the primary zone file. Intruders can use this mechanism to download the contents of a name server's zone file. To prevent this, administrators should block zone transfer requests from any device that is not an authorized slave name server. Port 53 is often used to tunnel unauthorized traffic, and I.T. should scrutinize suspicious traffic.

 

What is Reverse DNS?

A reverse DNS lookup or reverse DNS resolution (rDNS) is the querying of the Domain Name System (DNS) to determine the domain name associated with an I.P. address – the reverse of the standard "forward" DNS lookup of an I.P. address from a domain name.

Reverse lookup is often valuable for determining the legitimacy of an I.P. address. For example, your DNS filter may look up forward and reverse DNS entries to discover whether those entries consistently match with one another.

If the reverse lookup generates records that show discrepancies between entries, it may indicate a compromised website. This is one of the valuable investigative capabilities that high-quality DNS filtering solutions provide to organizations.

 

How are DHCP and DNS Related?

Under the standard IPv4 Internet protocol, DNS is often tightly integrated with Dynamic Host Configuration Protocol (DHCP). A DHCP server automatically provides I.P. addresses to DHCP-enabled clients as well as other information such as the identity of DNS name servers. Therefore, to maintain DNS security, you must also protect your DHCP infrastructure.

In the more advanced IPv6 network configuration, DHCP may or may not provide DNS information as Router Advertisement (R.A.) message provides this information instead.

Protect the DNS layer in your organization from advanced threats WebTitan DNS Filter. Book a free demo today and see how it can support your organization.

Book Free Demo

Types Of DNS Attacks

DNS is a double-edged sword primarily because of the insecure nature of the DNS infrastructure, making it vulnerable to these types of attacks:

Dynamic DNS (DDNS)

While DDNS serves the legitimate function of allowing the address of a domain name to change quickly and host servers on temporary addresses, it is abused by botnet operators and phishers who change addresses rapidly to avoid detection.

DDNS makes it difficult for DNS filters to keep up with malicious activity. Even if the filter blocks some of the addresses, it may be unable to stop them all without sophisticated DNS-layer protection.

Fast Flux DNS

Fast Flux DNS is another way cybercriminals can rapidly alter DNS addresses to hide malware and phishing delivery sites behind an ever-changing network of compromised hosts acting as proxies.

Attackers achieve this by exploiting a load-balancing technique called round-robin DNS. Typically, this type of service is designed for websites with content located on several redundant servers in different countries worldwide. 

Packet Amplification

This technique is called a Smurf attack (named after the DDoS Smurf malware). It is a distributed denial-of-service attack involving many ICMP packets with the intended victim's spoofed source I.P. broadcast to a computer network using an I.P. broadcast address.

This attack leverages the disparity in bandwidth consumption between attackers and the targeted web resource. Attackers send small queries that result in significant, resource-intensive responses and tell the server to direct the response toward their target.

DNS Amplification

This popular form of DDoS relies on publicly accessible open DNS servers to overwhelm a victim system with DNS response traffic. It is called a "DRDoS Attack" (Distributed Reflection and Amplification Denial of Service). 

This attack often starts with a DNS lookup request to an open DNS server. Then, it spoofs the source address, tricking the server into becoming the target address. Once the DNS server returns the record response, it is passed to a target that the attacker controls.

DNS Tunnelling

DNS tunnelling involves the encoding of data into DNS queries and responses. These data payloads typically allow hackers to take over and manage the DNS server with remote server applications.

This attack often relies on DNS infrastructure that is connected to a compromised system. That provides cybercriminals with potential access to the internal DNS server. Additionally, the attack relies on the fact that DNS traffic can sometimes bypass firewalls and other systems without scrutiny.

 

What Is A DDoS Attack?

A Distributed Denial of Service attack (DDoS) attack is the purposeful overload of a device to make it unavailable to legitimate traffic. A DDoS usually originates from large numbers of bots or zombie P.C.s under the control of one central machine called a botnet. 

The motivation behind these attacks can be to bring down a business competitor or as a form of ransomware in which the victim must pay up to stop the packet onslaught. One of the most significant attacks on record was the Spamhaus attack in March of 2013, involving over 30,000 DNS resolvers. 

Traditional security methods are configured to throttle packets from a designated I.P. address initiating high traffic. However, in the case of Spamhaus, the attackers used an enormous number of different I.P. addresses, so throttling efforts were never triggered. You can read more about Spamhaus here.

 

How To Prevent DNS attacks

Security administrators can configure DNS to mitigate common security issues. One of these is the ability to accept and respond to DNS requests from any source on the internet. DNS servers that automatically accept incoming requests like this are called open resolvers. Cybercriminals exploit open resolvers to launch cyberattacks against their targets, and your DNS can quickly become one.

Configure your DNS server to restrict its ability to respond to DNS requests from any address on the internet. Only allow in-house recursive servers to the I.P. subnets used by your company. If you are operating an extranet, this should also include customer ranges. 

However, remember that many (if not most) DNS resolvers across the internet are open resolvers. Either they have yet to be secured or are meant to be available to the public. To test your I.P. address for open resolvers, see https://www.thinkbroadband.com/tools/dnscheck.html

Although there is no sure-fire way to preclude a DNS attack, the following measures can minimize the odds:

  • DNS blocking for security against phishing and spam can help preclude DNS attacks. This mechanism makes it difficult for entities to locate specific domains or websites on the internet that are malicious.
  • Configure your authoritative DNS servers to use DNS response rate limiting.
  • DNS traffic should be throttled depending on the type of DNS packet. For example, a zone transfer reply would have a higher threshold than a reply for the name of the DNS server.
  • Work with your Internet provider to block or throttle traffic you do not want on your network, if possible.
  • Monitor your network and make a note of client I.P.s using unusual amounts of bandwidth.
  • Publicly exposed sites should be load balanced and include resource reserves for additional bandwidth and CPU cycles to handle increased loads caused by an attack. Google endorses this practice. 

For any organization that takes network security seriously, protecting its DNS infrastructure should be vital to its enterprise security plan.   A little time and effort spent on DNS security can provide immediate and significant security benefits. For more about WebTitan DNS filtering, click here.

 

How Does DNS Filtering Work In Shared Offices?

Many organizations have employees logging in from coworking spaces around the world. Some enterprises may keep most of their workforce in distributed environments like these. Managing an effective DNS filtering policy under these conditions takes work.

A shared coworking space may share network infrastructure with hundreds of different organizations. This high degree of connectivity may only be protected by a free wireless internet connection with a single password shared by every customer.

Virtual Private Networks (VPNs) represent one of the most straightforward solutions for addressing DNS risks associated with remote workers in shared infrastructure environments. However, maintaining an organization-wide VPN policy is an expensive and complex undertaking.

As a result, organizations are increasingly moving towards managed DNS service providers. By entrusting their DNS-level security to a managed service provider, they can effectively leverage a scalable solution for managing DNS security. MSP DNS filtering allows organizations to implement strict filtering policies for employees who log in from shared coworking spaces.

 

MSPs Can Use DNS Protection To Keep Their Customers Safe

Managed service providers are under pressure to manage complex security environments in a scalable and cost-effective way. They must deploy and secure various security technologies that fit their customers' unique security risk profiles. This can present problems for DNS-level security workflows that rely on in-house resources and manual processing.

MSPs who package robust, scalable DNS filtering solutions into their services can offer their customers better security performance. Solutions like WebTitan DNS filtering open the customer landscape to include highly distributed remote teams that are difficult to secure using traditional DNS solutions.

 

Introducing WebTitan DNS Filtering

At its core, WebTitan DNS Filtering is a technique that is used to restrict or block access to certain websites or "domains." In this way—based on implementation—WebTitan DNS Filtering provides protections to create a safer, more productive working environment on the internet.

WebTitan DNS Filtering has other uses and can work with protocols such as ftp and smtp. Still, for this article, we'll focus on its application for web filtering specifically.

WebTitan DNS Filtering effectively allows for advanced network security configurations at the domain level. For example, if you try to visit a website and the domain is found to be malicious—a WebTitan DNS Filtering solution might block or redirect that request to a secure page, depending on its configuration.

I.T. departments initially implemented WebTitan DNS Filtering and configured DNS settings at the router/gateway level on physical machines residing on-premises. However, in recent years, businesses have increasingly outsourced these administration efforts, relying on external support from Internet Service Providers (ISPs) and Managed Security Service Providers (MSSPs). 

Now, you can purchase a premium or enterprise DNS solution, configure your network to process DNS requests through that service, and be up and running with a functional WebTitan DNS Filtering solution in no time. 

However, before making a significant decision that has the potential to impact your network security and future cyber protection plans—you should understand the advantages, limitations, and details about scaling a standard WebTitan DNS Filtering solution for web filtering.

 

Advantages of WebTitan DNS Filtering

There are several critical advantages that a WebTitan DNS Filtering solution provides. But chief among the benefits is the ability to block access to malicious and compromised websites completely and what would be considered "objectionable" sites, such as those hosting content related to pornography, violence, terrorism, and more.

Secondary advantages make WebTitan DNS Filtering an ideal solution for many businesses and organizations:

  • Lightweight
  • Fast
  • Scalable
  • Premium and enterprise-level offering
  • Offers advanced flexibility for policy management and customization.

In addition, every organization operates differently and has unique requirements, cultural norms, and web browsing habits. WebTitan DNS Filtering allows I.T. teams to support custom-tailored configurations with peace of mind.

As mentioned, the most significant advantage WebTitan DNS Filtering gives organizations is the ability to proactively block access to potentially harmful sites, a critical first layer of security and cyber defense. However, when we look at standard payload delivery methods and points of compromise from the various threats online (i.e., malware, ransomware, phishing attacks, etc.) we find a glaring common denominator – good old-fashioned user errors.

With WebTitan DNS Filtering in place and the proper configuration and support from feeds provided by trusted cybersecurity companies, you can put up an essential wall of defense. When network traffic and users have restricted access to undesirable websites (particularly malicious and objectionable sites), several low-hanging security risks are immediately removed.

On top of that, if you're a business owner, you get the added benefit of preventing those users from accessing the types of materials that could hinder their productivity or cause offense to others throughout the day (i.e., social media, questionable blogging sites, etc.).

Security and filtering providers like WebTitan offer hybrid deployment options that support standard WebTitan DNS Filtering and full-path URL filtering and analysis allowing an organization to develop and implement advanced solutions that not only help advanced configurations for blocking, redirection, or allow listing domains but for full-path content categorization, analysis, malicious detection, traffic analysis, and more. For communications companies, security vendors, and others where security is of primary concern—a scalable and secure infrastructure is critical to scalability, agility, and long-term growth.

 

WebTitan DNS Filtering Solutions

It's important to remember and understand that no single cybersecurity solution is 100% effective against our evolving threat landscape. WebTitan DNS Filtering goes a long way towards providing you with critical network infrastructure to protect your internet traffic and users. Still, it also requires a robust strategy and trusted security cybersecurity partners, feeds, and other technologies to provide maximum protection. 

Anti-virus, spam filters, two-factor authentication, and robust remediation policies are critical to defending your networks.

WebTitan DNS Filtering allows organizations to enforce comprehensive, forward-thinking, and robust Internet usage policies, blocking access to malicious website content and other threats that could harm you. You might not be able to prevent yourself from becoming the target of a hacker—but with infrastructure and technologies like WebTitan DNS Filtering in place, you can significantly improve your defences against known threats and reduce the chances of having your network penetrated by accidental user error.

 

WebTitan DNS Filtering Free Trial

Learn more about how WebTitan works and how it can protect your business against malware, phishing, viruses, ransomware, and links to malicious websites. 

Kickstart your WebTitan Free Trial today.

Protect the DNS layer in your organization from advanced threats WebTitan DNS Filter. Book a free demo today and see how it can support your organization.

Book Free Demo

DNS Filtering Frequently Asked Questions (FAQs)

DNS blocking is used to prevent users from accessing certain websites. DNS blocking is a method of content control. DNS blocking occurs at the DNS lookup stage before any content is downloaded, the process is very quick. The easiest way to block DNS and control the types of content that can be accessed is to use a DNS-based web filter

DNS filtering stands for Domain Name System filtering and is a method of preventing users from accessing certain web pages or IP addresses that may be dangerous or suspicious. When you have a DNS server filter enabled, you can browse the Internet knowing that the DNS filter will prevent you from visiting malicious websites by showing you a “block page” explaining the reason.

DNS filtering is the process of using the Domain Name System to block malicious online threats such as viruses, malware, ransomware, phishing attacks and botnets and filter out harmful or inappropriate content. This ensures that company data remains secure and allows companies to have control over what web content employees can access. WebTitans DNS filtering offers you cloud-based DNS Filtering to bring powerful enterprise filtering to all your users, regardless of their location.

DNS filtering and dns filters are designed to combat malware, ransomware, spam attacks, child pornography and other dangerous sites on the web. DNS is both an interpreter and roadmap for the Internet.

DNS filtering is important because it blocks malicious sites. It also allows genuine websites to remain available to users. Effective filtering is an integral element of a company’s cybersecurity strategy.

Get Your 14 Day Free Trial
TitanHQ

Talk to Our Email and DNS Security Team

Call us on US +1 813 304 2544

Contact Us