Azure AD DNS Filtering: What is it and What are the Benefits?

Posted by Trevagh Stankard on Tue, May 17th, 2022

Cloud computing and remote working have resulted in, seemingly, never-ending web-borne cyber-attacks. But in a report from Thycotic, almost three-quarters of black hat hackers said traditional firewall and antivirus security could not stop them. As these traditional security measures adapt to thwart cyber-attacks, the tried and tested hacking tactics, such as phishing and drive-by-download malware, morph to evade detection.

An alternative method of stopping web-borne cyber-attacks at source is DNS filtering which can be deeply integrated with Microsoft Azure Active Directory (AD) to offer Azure DNS filtering based on user-level access. Here we explain what that is, how it works, and what benefits it gives an enterprise over and beyond traditional security measures.

What is a DNS? And Where Does Microsoft Azure Fit?

A DNS (Domain Name System) underpins the internet by mapping a human-readable domain name to a machine-readable IP address (IP stands for Internet Protocol), e.g.,

https://wtc1.webtitancloud.com:8443

maps to

IP address: 52.32.39.15

When a user types a web address into a browser, a ‘DNS resolver’ matches this domain to an IP address using DNS servers. In other words, the DNS system resolves the address and maps it to the IP address. This IP address is used to make the connection between the device and the IP address before loading the content.

Things, like a mobile device of a remote worker, also have an IP address. The billions of objects, people, and websites are all dependent on a functioning DNS to deliver content and data.

A DNS is highly distributed and does not rely on a single server. The domains in Azure are hosted on a global network of DNS name servers that are managed by the Azure cloud infrastructure. The whole system is configured to optimize speed and high availability for a given domain. Azure administrators use Azure DNS for services including website hosting, applications, APIs, and cloud service hosting, and DNS Zone management.

What is Azure DNS filtering?

DNS filtering is a method used to stop users from accessing certain websites or IP addresses. This is important as tactics such as phishing and malware-infected websites are successful cyber-attack methods that utilize the internet. DNS filtering works alongside the DNS system. When a DNS resolver is configured to block a certain IP address, adding it to a ‘blocklist’, a user is prevented from navigating to that IP address. Typically, this blocklist contains malicious websites. By the same token, a DNS filter can also allow visits to certain websites, by placing them on a ‘white-list’ of safe to use sites. DNS filtering can also be applied on a device basis, for example, applying filtering policies to education sector Chromebook users. Azure DNS filtering can be applied to Azure specific hosted services to create safe zones for users to access.

Azure Active Directory (AD) Based DNS filtering

Azure AD is a directory that can be used to apply role-based access control. Azure DNS filtering uses policies that span an entire organization, applying and monitoring filtering using these policies as applied to AD group membership. WebTitan, for example, is deeply integrated with Azure AD, using an Azure AD Enterprise App to scan any Azure sign-in to find new users. These users are then paired with the IP of any Virtual Machine used to sign in and security and access policies are applied as appropriate.

Benefits of Using Azure DNS Filtering

An AI-driven DNS filtering solution, such as WebTitan, uses advanced techniques such as machine learning, to make sure even zero-hour threats are protected against. When integrated with Azure AD, the security policies needed to manage and control employee access can be automatically applied and managed remotely.

A DNS filtering solution, especially one that can selectively adapt to zero-hour threats, provides major benefits to protect your organization from web-borne cyber-attacks:

Dynamically Block Inappropriate or Malicious Website Access

Malware-infected websites are used as bait to attract users and infect any devices connecting to the malicious domain IP address. Other sites may contain inappropriate material. Users are encouraged to open such sites using social engineering techniques. If a user navigates to a malicious site, malicious code takes advantage of vulnerabilities in poorly patched or configured browsers, infecting the device with malware.

It can be difficult for traditional antivirus or antispam solutions to prevent the impact of these sites as new variants pop up that are designed to evade detection by traditional security measures. One of the latest tactics is to use Azure apps as a vector for malware infection/credential theft. Hackers use realistic-looking, but malicious, Azure apps to encourage users to navigate to an attacker-controlled website to execute the full attack. The use of a DNS filter stops attacks such as this by cutting off the route to the malicious website. By using a DNS filter based on Azure AD membership, an enterprise can quickly and dynamically map an active directory user or role to stop access to established and new malicious websites.

Block Phishing Websites

In 2020 75% of organizations experienced a phishing attack. These attacks often end in a user being encouraged to navigate to a phishing website. Once the user enters that malicious site, login credentials, data, and/or access to corporate resources are at risk. AI-driven smart technology will ensure that even zero-hour threats are mitigated.

Stops Ransomware Infection and Data Theft

Ransomware is the malware of the moment. Ransomware is no longer about encrypting data and extorting money for a decryption key. Now, according to IBM X-Force, 59% of ransomware incidents also include data exfiltration, the stolen data then being used to put pressure on organizations to pay up. However, even if a ransom is paid there is no guarantee stolen data will not be sold on and used for fraud. Ransomware, often, infects a company through phishing emails and infected websites. The Verizon Data Breach Investigation Report (DBIR) says that in 85% of data breaches a human being is involved, usually by navigating to an infected website or clicking a link in a phishing email. Azure DNS filtering prevents Azure AD members from becoming part of the 85% of humans that help ransomware infections to propagate.

Read Guide: Ransomware Trends in 2021 & Predictions for 2022

Protect Devices

Remote and homeworking have meant that personal devices are being used for work tasks. However, personal devices are much harder to protect as policies are more difficult to apply and manage remotely. By using an Azure AD DNS filter that uses device-based agents that are remotely managed, even personal devices can be protected from malicious software infections.

Simple to Setup and Use

Finally, any DNS filter needs to be easy to set up and must be configurable remotely for a cloud-based/remote workforce. Cloud environments are continuously changing, adding new apps and new endpoints, that require appropriate policies for different environments. DNS filters need to be easy to set up, configure, and modify. API-based content filters allow for remote configuration and monitoring. Mapping Azure AD to website access provides an easy way to create security policies on a per user/per role basis.

By applying the powerful control of Azure AD integrated DNS filtering to web access, an organization can improve its security posture and reduce web-related risk. A DNS filter offers an organization a way to improve the safe web browsing of its workforce, preventing data and credential theft, ransomware, and other cyber-attacks as well as inappropriate web use.

Get started with WebTitan DNS Filtering Solution. And see how it directly integrates with Azure AD. Start Free Trial Today.