With the US thanksgiving holiday just passed it got us thinking about IT security tools to be grateful for. Clichés aside, I’m thankful for DNS (really!). Passwords are hard enough to remember – imagine if we had to remember IP addresses instead of domain names. Thankfully, DNS makes it so that we can use the Internet by remembering names, and computers can translate these names into machine-readable IP addresses to transfer information from websites, email servers, and file servers to your web browser or email client. Seriously, how can you not be thankful for DNS?
Even though the concept of DNS is simple to understand, you might have some misconceptions about DNS filtering that could affect getting it to work safely and reliably. So I’ll share with you the most common problems I’ve seen IT pros encounter while securing their DNS infrastructure throughout the years, and hopefully bust the most common myths at the same time.
Sure, but antivirus software can only detect known viruses while it’s running – and end users are notorious for turning off antivirus and the local firewall on their computers to avoid sluggish performance or install software that they “need” to do their job (or sometimes, really, to distract themselves from doing their job!). Managing this isn’t always as simple as enforcing domain policies – sometimes the culprits are in the executive suite. And antivirus cannot block content that isn’t infested with viruses but still isn’t appropriate for work, such as porn, gambling, politics, or social media. See where I’m going with this?
Small businesses can be (and many have been) crippled by copyright infringement suits – the business is liable for how its network is used. If an end user is serving up pirated movies from your IP address, can your business afford the fine? If an employee accidentally gets infected with a spam bot, it’s your IP address that will be blacklisted and blocked, and your email that will no longer be delivered.
Web-delivered malware can affect the entire business. If CryptoLocker or one of its ever-evolving variants destroys a shared drive containing overtime logs or customer invoices, who loses out? And there are other viruses that may be lurking undetected (Uroburos went undiscovered for years), silently stealing information or waiting to deliver a destructive payload.
I know that web filtering will not prevent all of these, but having multiple layers of security lowers the risk. In my opinion, you need web filtering, spam filtering, endpoint antivirus, sensible firewall rules, up-to-date software, regular reliable backups, and an aware workforce. Leaving a single door open makes all the rest of the locks pointless.
Nope! It starts with DNS lookup in just three steps:
Query: You type a web address into the browser, triggering a DNS query.
Lookup: The DNS server specified in your network interface configuration (usually provided automatically by your DHCP server) receives the request and looks up the IP address relating to that domain.
Response: As long as the domain name exists, the corresponding IP address is returned, and your browser then uses that IP address to communicate directly with the web server for that domain (and usually caches it for future reference).
Please note the italics in #3 above: Once the DNS reply is received with the IP address of the domain name server, DNS is no longer involved in the communications between your browser (or other application software) and the server.
This process then provides an opportunity for using DNS as a very basic, low-latency (fast!), and low-bandwidth filter to protect users from phishing sites, botnets, and other risky websites – and a way to prevent access to inappropriate NSFW (not suitable for work) websites. By using a DNS filter with a database of categorized websites (if the DNS server/database is quick), you can be safe in the blink of an eye. The filter protects your network by only providing lookup requests with a valid IP address for safe websites, but returns a local IP address to deliver a block page for forbidden sites.
DNS logging will show which lookups people have performed, but not which sites they actually visited, nor for how long. For that level of detail, you’ll need a fast local proxy/filter to look at all of the actual web traffic. For most small-to-medium-sized businesses, I’m not going to lie, this is overkill. For larger organizations, there are often valid reasons for including a local web filter and proxy that justify the extra expense and IT personnel overhead, though.
In most cases, simply setting the primary DNS servers as the cloud web filter in your DHCP server (usually this is all in your Internet gateway appliance for a small business – which includes the router, network switch, and a firewall) is good enough to block the majority of web-delivered malware and prevent access to any productivity-killing (Facebook) and bandwidth-gobbling sites (YouTube, Netflix).
But of course “smart” end users may try to get around your filters. You know the culprits here: It’s amazing how clever these guys can be when they want to get to Facebook, yet how easily they can forget how to access the file server. Ha! They’ll find a proxy service or change their DNS settings locally on their computer if you haven’t locked it down (you’ve locked down their computers, right?).
No web filtering approach is invulnerable to circumvention – both appliance-based and cloud DNS filtering services can be bypassed. But you can take simple steps to limit your end users’ ability to access forbidden websites.It’s time to roll up your sleeves and set some firewall rules on your Internet gateway/router! You can block DNS requests to anything other than your approved DNS service and block all other DNS requests.If you use an external DNS server, you should allow only port 53/UDP to access the IP addresses of your chosen DNS filtering service servers.
If you have your own, locally hosted, internal DNS server, you should allow only port 53/UDP outbound requests from your internal DNS server's internal IP address to the external IP addresses of the primary and secondary DNS servers that your internal DNS server is configured to use. In other words, local computers query your local DNS server, and only your DNS server queries the web filtering DNS service on the Internet.
I think that DNS filtering should be in your security arsenal – for web filtering, it’s just such an easy and straightforward option. Most routers and firewalls will allow you to block port 53 – DNS traffic. By editing your internal MX records, a single configuration change in one place (on most small networks, it’s the router), you can effectively prevent access to risky sites and protect your network.
Now for some cold, hard truths. First, technology isn’t the only part of the solution to website access. An acceptable usage policy is also required. Bet you aren’t surprised by that, huh? People should be informed ahead of time what is and isn’t allowed, and made aware of the consequences. They aren’t only risking their own jobs, but potentially putting every other employee and the business at risk.And secondly, the speed and performance of DNS servers can vary. Slow or poor domain resolution will result in slow and less reliable web browsing. However, you can run speed tests on DNS servers to compare performance.
So what are you thankful for? I’d also love to hear any of your own web filtering or DNS myths or facts, or some of your experiences with DNS in general. Just email firstname.lastname@example.org to chat.
Sign-up for email updates...
Call us on USA +1 813 304 2544 or IRL +353 91 545555Contact Us