Why DNS Filtering is the Most Flexible and Scalable Network Protection

Posted by Geraldine Hunt on Fri, Oct 11th, 2019

According to cybersecurity researchers, 66% of malware is installed via malicious email attachments and 64% of organizations experience phishing-related attacks.  Most attacks start with email where messages sent to a targeted user ask the recipient to click a link, download an attachment, or perform an action (e.g. make a bank transfer of funds). Even more concerning, many attackers are spear-phishing, which means that attackers target people with access to specific functions such as finance or IT administration. An effective strategy to stop these attacks is to use DNS-based web content filtering.

What is DNS Filtering?

For every request on the Internet, a specific set of procedures run before a user is able to view content in a browser. One of the first steps is to query the configured DNS server. The DNS server is configured as either a static value assigned to the device’s network card or dynamically configured when the user’s device boots. Enterprise networks usually have their own DNS servers for internal queries, and then they dedicated external DNS servers to Internet queries. Instead of requiring users to remember complex IP addresses (especially since the deployment of IPv6 addresses), DNS allows users to enter friendly names into a browser and queries against name servers return the associated IP address.

Several other requests happen between the client and server handshake, but DNS queries are what links the friendly domain name with the IP address of the server. Old web content filtering involved intercepting requests and blocking domain content based on policies set up by IT administrators, but these methods were imprecise, and users could avoid these filters using several methods.

DNS filtering implements web filtering during the query process. Administrators set up policies that block specific IPs categorized as inappropriate for a corporate environment. Not every IP address blocked will be malicious. Administrators can block IPs that users should not be able to access during business hours, and IPs determined to be malicious can be blocked as well. With efficient content blocking, any queries to access malicious IPs should be logged and the administrator notified. If several users attempt to access the same malicious IP address, alerts tell the administrator that a phishing campaign could be targeting the organization.

DNS Filtering at the Page Level

Because DNS filtering is based on the domain lookup, all pages on one domain would be blocked. For instance, the Medium.com domain hosts several types of content, so blocking the Medium.com would filter out all content on the domain. The latest in cloud DNS-based filtering takes this problem into consideration and blocks based on URLs and pages. With the latest filters, administrators can block specific pages and page content rather than the entire IP address. This gives administrators a more granular approach to web content filtering rather than whitelisting each URL that’s needed by employees for research purposes or marketing. Using the Medium example, administrators can block certain content based on policy categorizations, and then allow appropriate content that employees need to perform work functions.

This hybrid approach to filtering gives administrators a more granular control level over content, and most attacks are page-based rather than domain-based. Attackers can use known hosts and hide pages within harmless, useful content. These pages should be blocked while the rest of the domain is left accessible by employees.

Even with a hybrid approach, IT administrators still have the ability to block entire domains. Blocking an entire domain might be necessary if the same domain has several URLs that could be harmful to network security and stability. Domains that host user-generated content could be subject to malicious content or redirect links that lead to an attacker-controlled site. With a hybrid approach, administrators have the choice to either block the entire domain at the DNS level or block only specific URLs located on the domain.

Web Filtering That Blocks Numerous Phishing Techniques

Attackers have numerous methods to trick users into accessing an attacker-controlled site or download a malicious email attachment. Emails with simple links are also used to trick users into accessing a malicious web page. Any web request is analyzed using cloud DNS-based filters, and content determined to be inappropriate or malicious is blocked.

More importantly, good web filters contain notifications and logging so that an administrator can identify a possible attack should the same IP address be queried by several users. Knowing that a spear-phishing campaign or ongoing attack targets an organization can help avoid costly data breaches by allowing administrators to block malicious emails and attachments that could download malware and infect the network.

WebTitan DNS Filtering  includes market leading content categorization and malicious URL detection and provides real-time, automated updates as new content and malicious sites are detected. WebTitan discovers over 60,000 new malware iterations every single day. More information on the categories available in WebTitan URL Filtering.  WebTitan is highly scalable, supporting small deployments through to ISPs and deployments with millions of users, with exceptional URL query performance. WebTitan provides market-leading accuracy, coverage and malicious website detection with an easy-to-integrate API. Our web categories are collated through real-time advanced analytics and detection from 500 million end-users and no less than 5 trillion web queries per month covering 99.9% of the active web.  

For more information on the WebTitan DNS Filtering, visit our product page. Or better yet, test WebTitan for yourself by signing up for a free trial here. Contact us for additional information or to schedule an evaluation.