DNS Filtering: The How-To Guide

Experts often describe the Domain Name System (DNS) as a phone book for the Internet. Every website is connected to a unique IP address—and the DNS system enables web browsers to translate domain names to their IP addresses. Most domain names are harmless and beneficial for a specific activity, but phishing and malware are hosted on malicious domains. These domains are dangerous to data privacy and user protection.

DNS filtering allows organizations to block users from accessing certain websites to:

• Keep employees from accessing non-productive websites during work hours.
• Prevent employees from accidentally accessing compromised and malicious websites.
• Stop employees from divulging sensitive information to phishing websites.

From a cybersecurity perspective, blocking malicious web content is integral to a successful multi-layered security strategy. Compromised and spoofed websites are a standard part of the cybercriminal toolset. 

Preventing users from accessing known malicious websites can dramatically improve your organization's security posture. In addition, DNS filtering makes it much harder for cybercriminals to impersonate trusted contacts and execute phishing campaigns.

How Does DNS Filtering Work? 

Every website has an address based on its domain—or, more accurately, an Internet Protocol (IP) address. In addition, all machines (e.g., websites, servers, and web services) have an assigned IP address, enabling user computers to locate and connect to other remote computers and the communication that supports our World Wide Web. 

The Domain Name System (DNS) makes it easier for humans to use the internet and removes the requirement to remember all those number-only IP addresses. Instead, the DNS system translates readable alphanumeric names and words into a corresponding IPv4 or IPv6 address. DNS servers are located worldwide, mapping IP addresses to their respective domain names—like a worldwide telephone directory for websites.

DNS filters are designed to combat malware, ransomware, spam attacks, child pornography, phishing hosts, and other dangerous sites on the web. Since DNS maps domain names to IP addresses, it acts as an interpreter and roadmap for the internet. Usually, when a browser queries a DNS server, an IP address is returned, allowing the browser to connect to a web server and make a request to open a website at the specific IP address.

DNS filtering services use the Domain Name System to block malicious website threats and filter out harmful web content. They ensure that network data remains secure and allow organizations to control what their staff can access on company-managed networks.

A DNS server using content filters blocks web requests rather than returning an IP address. It is also helpful for organizations that want to protect internal assets by blocking known malicious sites. This function is usually conducted at the router level by blocking IP addresses or filtering ports. DNS filtering and DNS filters are powerful and efficient security solution alternatives for those without the luxury of high-end routers. Cloud-based DNS filters capture web requests from local and remote employees and block inappropriate or malicious domains.

Get Started with TitanHQ's DNS Filtering Solution.

How Does DNS Filtering Software Know Which Websites to Block?

DNS filters must be constantly updated with the latest threat intelligence information to more accurately block the latest malicious domains from being loaded in a browser. If a compromised website isn't listed in a DNS filtering database, the filter can't prevent users from accessing it.

Many different threat intelligence services maintain databases of compromised IP addresses. Whenever a partnered cybersecurity service identifies malicious activity from a new website, they contribute that information to one of these threat intelligence providers.

DNS filtering solutions are only as reliable as the data they access. High-quality filters with comprehensive databases can catch and block malicious websites faster than others. A continuously updated filter will update its database with the latest threats to keep your organization safe.

The best threat intelligence providers proactively search for evidence of malicious web activity. However, only some providers can offer comprehensive coverage for the entire internet. The best MSP DNS filtering solutions rely on input from many threat intelligence services so that filters block threats more accurately. 

How Vital Is DNS Filtering In 2024 and the Future?

DNS remains a vulnerable, highly targeted component for exploits and cyberattacks. For example, cybercriminals can spoof DNS replies, feeding false information that redirects users from legitimate websites to malicious ones.

The sheer size of the internet makes it easy for cybercriminals to create new malicious websites. Thousands of new websites are registered every second, putting pressure on threat intelligence providers to keep up.  As soon as any security provider detects malicious activity on a newly registered website, cybercriminals can write a new website and continue their attacks.

Due to its critical function within the Internet and the enterprise, DNS is a primary target for hackers, so securing it is imperative. An effective DNS security strategy entails blocking malicious queries and servicing good ones. Performance should be preserved, and legitimate queries must pass filters and return results.

DNS plays a vital role in a layered network security strategy in which multiple approaches to cyber defense are required. This multi-tiered approach reduces the possibility of a successful hacking attack.

Protect your organization's DNS layer from advanced threats with WebTitan DNS Filter. Book a free demo today to see how it can support your organization.

Get Started with TitanHQ's DNS Filtering Solution.

How Does DNS Filtering Fit into an Effective Security Strategy?

DNS filtering cannot stop every threat. All organizations should build layers of security, and an attacker must bypass several of them before access to data is granted. A DNS filtering solution is one layer but should not make up your entire strategy.

Along with DNS filtering, organizations should have a network security strategy with port monitoring, intrusion detection systems, intrusion prevention systems, antivirus and antimalware applications, and firewalls. These necessary security layers work cohesively to create a functional and highly effective security protection system.

Compared to sophisticated detection-based systems, DNS filtering offers some clear advantages for security-conscious organizations:

• Maintaining a successful DNS filtering policy requires fewer resources than many sophisticated detection-based technologies.
• DNS filtering informed by high-quality threat intelligence providers can protect users from zero-day threats before all the details of the threat are known.
• Modern DNS filtering technologies are built to return a few false positives.

Even with its advantages, DNS filtering has some risks:

• DNS filters are not bulletproof. Some malicious attackers are clever enough to bypass it.
• Users can use proxies to hide their original IP and gain access to the DNS-queried IP address.
• Modification of the DNS protocol could lead to unforeseen security issues and technical bugs.

For more information about DNS filtering myths, see this recent blog post: 4 Myths about DNS Filtering and Some Truths.

No system is bulletproof, and while cybercriminals constantly change domain names, solutions such as DNS filtering are highly effective in countering their cloaking efforts. WebTitan DNS Filtering does this by categorizing an estimated 60,000 malware and spyware domains daily based on threat intelligence, tracking down dangerous sites, and blocking them. 

A schematic illustrating this process is below:

Get Started with TitanHQ's DNS Filtering Solution.

Examining DNS Structure

The Domain Name System (DNS) was designed to make it convenient for the public to use the internet. As mentioned earlier, it translates domain names to the matching IP addresses of the hosted devices. DNS allows us to use https://www.google.com instead of http://74.125.224.72/ to initiate a search. In short, it is the internet's primary directory service. 

The DNS system that services the internet is a distributed system anchored by a collection of root name servers dispersed worldwide. Under the root servers are top-level domains (.com, .org, .net) followed by second-level domains (Google, TitanHQ, Microsoft). 

These domains form DNS zones, which may consist of one or more domains (for example, google.com is a domain). A set of authoritative name servers are assigned to each DNS zone. 

An authoritative name server can be either a primary or a secondary server. A master contains the original read/write copies of zone records, while a secondary maintains only readable copies of the master records that are updated through replication. 

DNS servers use TCP port 53 for zone transfers to keep the secondary synced with the primary zone file. Intruders can use this mechanism to download the contents of a name server's zone file. To prevent this, administrators should block zone transfer requests from any device that is not an authorized secondary name server. Port 53 is often used to tunnel unauthorized traffic, and an organization’s IT team should monitor suspicious traffic.

What is Reverse DNS?

A reverse DNS lookup or reverse DNS resolution (rDNS) is querying the Domain Name System (DNS) to determine the domain name associated with an IP address—the reverse of the standard "forward" DNS lookup of an IP address from a domain name.

Reverse lookup is often valuable for determining the legitimacy of an IP address. For example, your DNS filter may look up forward and reverse DNS entries to discover whether they consistently match one another.

If the reverse lookup generates records that show discrepancies between entries, it may indicate a compromised website. This is one of the valuable investigative capabilities that high-quality DNS filtering solutions provide to organizations.

How are DHCP and DNS Related?

Under the standard IPv4 Internet protocol, DNS is often tightly integrated with the Dynamic Host Configuration Protocol (DHCP). A DHCP server automatically provides IP addresses and other information to DHCP-enabled clients, such as the identity of DNS name servers. A DHCP server can assign static and dynamic IP addresses, but public web servers need a static IP to stay available.

In the more advanced IPv6 network configuration, DHCP may or may not provide DNS information, as the Router Advertisement (RA) message provides this information instead. Whether you use IPv6 or IPv4, you must protect DHCP as well to essentially protect DNS and web content.

Protect your organization's DNS layer from advanced threats with WebTitan DNS Filter. Book a free demo today to see how it can support your organization.

Types Of DNS Attacks

DNS is a double-edged sword primarily because of the numerous bypasses and exploits available, making it vulnerable to these types of attacks:

Dynamic DNS (DDNS)

While DDNS legitimately allows a domain name's address to change quickly and hosts servers on temporary addresses, it is abused by botnet operators and phishers who change addresses rapidly to avoid detection. Filters often block dynamic DNS hosts.

DDNS makes it difficult for DNS filters to keep up with malicious activity. Even if the filter blocks some of the addresses, it may be unable to stop them all without sophisticated DNS-layer protection.

Fast Flux DNS

Fast Flux DNS is another way cybercriminals can rapidly alter DNS addresses to hide malware and phishing delivery sites behind an ever-changing network of compromised hosts acting as proxies.

Attackers achieve this by exploiting a load-balancing technique called round-robin DNS. Typically, this type of service is designed for websites with content on several redundant servers in different countries worldwide. 

Packet Amplification

This technique is called a Smurf attack (named after the DDoS Smurf malware). It’s a distributed denial-of-service attack involving many ICMP packets with the intended victim's spoofed source IP broadcast to a computer network using an IP broadcast address.

This attack leverages the disparity in bandwidth consumption between attackers and the targeted web resource. Attackers send small queries that result in significant, resource-intensive responses and tell the server to direct the response toward their target.

DNS Amplification

This popular form of DDoS relies on publicly accessible open DNS servers to overwhelm a victim system with DNS response traffic. It is called a "DRDoS Attack" (Distributed Reflection and Amplification Denial of Service). 

This attack often starts with a DNS lookup request to an open DNS server. Then, it spoofs the source address, tricking the server into becoming the target address. Once the DNS server returns the record response, it is passed to a target the attacker controls.

DNS Tunnelling

DNS tunneling involves the encoding of data into DNS queries and responses. These data payloads typically allow hackers to take over and manage the DNS server with remote server applications.

This attack often relies on DNS infrastructure connected to a compromised system, which provides cybercriminals with potential access to the internal DNS server. Additionally, the attack relies on the fact that DNS traffic can sometimes bypass firewalls and other systems without scrutiny.

What Is A DDoS Attack?

A Distributed Denial of Service attack (DDoS) attack is the purposeful overload of a device to make it unavailable to legitimate traffic. A DDoS usually originates from large numbers of bots or zombie devices under the control of one central machine called a botnet. A zombie device could be a user’s computer, a router, or IoT.

The motivation behind these attacks can be to bring down a business competitor or as a form of extortion in which the victim must pay a ransom to stop the packet onslaught. One of the most significant attacks on record was a targeted attack against large cloud hosts, including Amazon, Google, and CloudFlare, in 2023, with a peak of 398 million requests per second. 

How To Prevent DNS Attacks

Security administrators can configure DNS to mitigate common security issues. One of these is the ability to accept and respond to DNS requests from any source on the internet. DNS servers that automatically accept incoming requests like this are called open resolvers. Cybercriminals exploit open resolvers to launch cyberattacks against their targets, and your DNS can quickly become one.

Configure your DNS server to restrict its ability to respond to DNS requests from any address on the Internet. Only allow in-house recursive servers for your company's IP subnets. If you are operating an extranet, this should also include customer ranges. 

Remember that many (if not most) DNS resolvers across the internet are open resolvers. They have yet to be secured or are meant to be publicly available. Test your IP address for open resolvers here.

Although there is no guaranteed way to stop a DNS attack, the following measures can mitigate damage:

• DNS blocking for security against phishing and spam can help stop DNS attacks. This mechanism makes it difficult for entities to locate specific malicious domains or websites used in attacks from a compromised device.
• Configure your authoritative DNS servers to use DNS response rate limiting.
• DNS traffic should be throttled depending on the type of DNS packet. For example, a zone transfer reply would have a higher threshold than a reply for the name of the DNS server.
• Work with your Internet provider to block or throttle traffic you do not want on your network.
• Monitor your network and make a note of client IPs using unusual amounts of bandwidth.
• Publicly exposed sites should be load-balanced and include resource reserves for additional bandwidth and CPU cycles to handle increased loads caused by an attack. Google endorses this practice. 

For any organization that takes network security seriously, protecting DNS infrastructure should be vital to its enterprise security plan.   A little time and effort spent on DNS security can provide immediate and significant security benefits. For more about WebTitan DNS filtering, click here.

How Does DNS Filtering Work in Shared Offices?

Many organizations have employees logging in from coworking spaces around the world. Some enterprises may keep most of their workforce in distributed environments like these, but managing an effective DNS filtering policy under these conditions takes work.

A shared coworking space may share network infrastructure with hundreds of different organizations. This high degree of connectivity may only be protected by a free wireless internet connection with a single password shared by every customer.

Virtual Private Networks (VPNs) represent one of the most straightforward solutions for addressing DNS risks associated with remote workers in shared infrastructure environments. However, maintaining an organization-wide VPN policy is an expensive and complex undertaking.

As a result, organizations are increasingly moving towards managed DNS service providers. By entrusting their DNS-level security to a managed service provider, they can effectively leverage a scalable solution for managing DNS security. MSP DNS filtering allows organizations to implement strict filtering policies for employees who log in from shared coworking spaces.

MSPs Can Use DNS Protection to Keep Their Customers Safe

Managed service providers are under pressure to manage complex security environments in a scalable and cost-effective way. They must deploy and secure various security technologies that fit their customers' unique security risk profiles. This can present problems for DNS-level security workflows that rely on in-house resources and manual processing.

MSPs who package robust, scalable DNS filtering solutions into their services can offer their customers better security performance. Solutions like WebTitan DNS filtering open the customer landscape to include highly distributed remote teams that are difficult to secure using traditional DNS solutions.

Introducing WebTitan DNS Filtering

At its core, WebTitan DNS Filtering is a technique used to restrict or block access to certain websites or domains. Based on implementation, It provides protections to create a safer, more productive working environment on the Internet.

WebTitan DNS Filtering has other uses and can work with protocols such as FTP and SMTP. Still, for this article, we'll focus on its specific application for web filtering.

WebTitan DNS Filtering effectively allows for advanced network security configurations at the domain level. For example, if you try to visit a website and the domain is found to be malicious—a WebTitan DNS Filtering solution might block or redirect that request to a secure page, depending on its configuration.

IT departments initially implemented WebTitan DNS Filtering and configured DNS settings at the router/gateway level on physical machines residing on-premises. Still, in recent years, businesses have increasingly outsourced these administration efforts, relying on external support from Internet Service Providers (ISPs) and Managed Security Service Providers (MSSPs). 

Now, you can purchase a premium or enterprise DNS solution, configure your network to process DNS requests through that service, and be up and running with a functional WebTitan DNS Filtering solution in no time. 

Before making a significant decision that has the potential to impact your network security and future cyber protection plans, you should understand the advantages, limitations, and details of scaling a standard WebTitan DNS Filtering solution for web filtering.

Advantages of WebTitan DNS Filtering

WebTitan DNS filtering provides several critical advantages. Chief among them is the ability to block access to malicious and compromised websites and what would be considered "objectionable" sites, such as those hosting content related to pornography, violence, terrorism, and other inappropriate content.

Secondary advantages make WebTitan DNS Filtering an ideal solution for many businesses and organizations:

• Lightweight
• Fast
• Scalable
• Premium and enterprise-level offering
• Offers advanced flexibility for policy management and customization.

In addition, every organization operates differently and has unique requirements, cultural norms, and web browsing habits. WebTitan DNS Filtering allows I.T. teams to support custom-tailored configurations with peace of mind.

As mentioned, the most significant advantage WebTitan DNS Filtering gives organizations is the ability to proactively block access to potentially harmful sites, a critical first layer of security and cyber defense. However, when we look at standard payload delivery methods and points of compromise from the various threats online (e.g., malware, ransomware, phishing attacks, etc.), we find a glaring common denominator—good old-fashioned user errors.

With WebTitan DNS Filtering in place and the proper configuration and support from feeds provided by trusted cybersecurity companies, you can put up an essential wall of defense. When network traffic and users have restricted access to undesirable websites (particularly malicious and objectionable sites), several low-hanging security risks are immediately removed.

In addition, if you're a business owner, you get the added benefit of preventing users from accessing materials that could hinder their productivity or cause offense to others throughout the day (e.g., social media, questionable blogging sites, etc.).

Security and filtering providers like WebTitan offer hybrid deployment options that support standard WebTitan DNS Filtering and full-path URL filtering and analysis allowing an organization to develop and implement advanced solutions that help not only advanced configurations for blocking, redirection, or allow listing domains but also for full-path content categorization, analysis, malicious detection, traffic analysis, and more. For communications companies, security vendors, and others where security is of primary concern—a scalable and secure infrastructure is critical to scalability, agility, and long-term growth.

WebTitan DNS Filtering Solutions

It's important to remember and understand that no single cybersecurity solution is 100% effective against our evolving threat landscape. WebTitan DNS Filtering goes a long way toward providing critical network infrastructure to protect your internet traffic and users. Still, it also requires a robust strategy and trusted security cybersecurity partners, feeds, and other technologies to provide maximum protection. 

Antivirus, spam filters, two-factor authentication, and thorough remediation policies are critical to defending your networks.

WebTitan DNS Filtering allows organizations to enforce comprehensive, forward-thinking, and robust Internet usage policies, blocking access to malicious website content and other threats that could harm you. You might not be able to prevent yourself from becoming the target of a hacker—but with infrastructure and technologies like WebTitan DNS Filtering in place, you can significantly improve your defenses against known threats and reduce the chances of having your network penetrated by accidental user error.

Get Started with WebTitan DNS Filtering

Learn more about how WebTitan works and how it can protect your business against malware, phishing, viruses, ransomware, and links to malicious websites. 

Get Started with TitanHQ's DNS Filtering Solution.