Having a solid cybersecurity plan is vital for all businesses, but some elements tend to be forgotten.
One of them is DNS filtering, which is the more technical term for internet filtering and can be an important tool for making sure that your network stays safe from malicious websites and content.
What is DNS Filtering?
DNS filtering is also called DNS redirection. The idea is that if the user attempts to access a known malware site, their attempt will be blocked and a warning posted explaining why the attempt was blocked.
This can help, for example, protect your employees from typosquatters (they typo a domain name and end up on a malicious site) and phishing attempts.
DNS filtering can also be used to block time-wasting sites, but a relatively light hand should be used; blocking a lot of sites is likely to affect employee morale and make productivity worse. However, it can be used to block access to social media, known pornography sites, and too heavy data streaming (which can matter for small offices with limited bandwidth or if you do a lot of teleconferencing). Overall, DNS filtering is a useful tool for preventing employees from deliberately or accidentally going to inappropriate or malicious sites.
Why is DNS Filtering Important?
DNS filtering matters because people are not perfect. We can educate our employees to check URLs and not click links on emails, but people are going to make mistakes. Filtering forms the second line of defense to help keep people away from malicious sites.
In addition, keeping unauthorized employees off of Facebook can reduce their risk of being caught out by malicious links in messenger and by other social engineering attacks. The service can also be configured to block the download of certain types of files. For example, by blocking .exe files, the service will keep out viruses that are hidden using a trick such as naming it file.jpg.exe. To a user, only the first file extension is visible and the file looks like a harmless picture, not a dangerous executable. It can be configured to prevent torrenting and other high bandwidth activities, which can also ensure that employees do not download copyrighted material illegally (such material also often contains malware or is corrupted in ways which can result in data damage).
How, Exactly, Does it Work?
So, how does DNS filtering actually work? It’s a multi-step process. The service acts as your DNS server, translating human-readable domain names into the IPs computers need. When somebody attempts to go to a website, the DNS filter will:
- Check the IP address (not the domain name) against a blacklist maintained by the service provider or a third party. (Businesses can edit the blacklist appropriately). The blacklist will contain everything from IP addresses associated with malware to illegal content such as child pornography.
- If the IP address matches the blacklist, the request is blocked.
- The attempt to access the address is logged. This can be used for discipline or to establish if there is a phishing problem. For example, if multiple employees attempt to get to the same blocked site at once, it is very likely that they received some kind of phishing email, which is often sent out as blasts.
- The user is directed to a page with an error message. The error message should say, if possible, why the site was blocked. You may also want to have it suggest that people double-check the URL for typos or remind them of acceptable use.
If the IP address does not match the blacklist, the user is seamlessly redirected to the site they intended to go to. In theory, users should not notice anything until a site is blocked.
Unlike older forms of internet filtering, DNS filtering shows almost no latency and results in no perceivable delay. Also, because it works through the cloud, it can be configured to protect your remote workers and people on travel as well. You can adjust what you filter to the needs of your business. A good filter will also block unapproved VPNs and so-called avoidance domains such as proxies.
Another advantage of using a DNS filter is that it keeps your company’s traffic off of public DNS services that may sell or manipulate your DNS data. Thus, it also helps improve your privacy and that of your employees. However, a poorly-configured filter may actually encourage employees to go to insecure free DNS services instead.
What Are the Limitations?
DNS filtering does have a few limitations, which need to be considered and filled-in using other methods. Here are some of the things it can’t do or ways in which it is limited:
- DNS filtering relies, like traditional virus control, on a database. This is generally maintained by the service provider, and they may also use external databases. This means that your users will not be protected from a site that just cropped up and hasn’t made it into the database yet. The better the provider, the faster they react.
- People can still use the cellphone network to access distracting sites during work hours or to get to illegal content.
- It’s possible to get around DNS filters by such measures as changing to a public DNS server or using a proxy. You need to block these two with a good firewall.
- As already mentioned, blocking too many websites can result in annoyed workers who are working hard, but would like to do limited, reasonable personal activities during a break or lunch.
- Using DNS filtering on BYOD (bring your own device) can cause problems when people attempt to use the device for safe personal uses or even, in some cases, connect to their own network.
- False positives are rare with modern DNS filtering, but can still occur. One limitation of DNS filtering is that it blocks everything at the domain level. A “false positive” could also mean that the site you are trying to access has been compromised. It can then be hard for them to get their site back off the list. If a known friendly site is suddenly being blocked, it’s worth contacting the owner of the site and letting them know so they can take appropriate measures.
- It’s easy for bad actors to simply change their domain name, and this can sometimes turn into an “arms race” between the filtering provider and the crooks. Most cybercriminals are fast to abandon sites that have ended up being blacklisted.
- DNS filtering is not compatible with DNSSEC, which is designed to protect users from malicious redirects and so-called “DNS poisoning,” which is used in some phishing techniques. Thus, you may have to decide which is more important to your company. For many companies, DNS filtering is more useful, but it’s worth thinking about depending on your sector and the kind of data you handle.
DNS filtering should ideally be an extra layer of security for when education and dealing with the human factor fails. It has to be used properly, and one important thing is to make sure your end-users can’t simply change the DNS server. A good alternative is to configure the firewall to let only DNS requests from your own server. You should also restrict access to DNS-over-Https servers, which can also be used to circumvent DNS filtering.
Remember that it’s important to make sure employees know why DNS filtering is in place and that it is at least in part to help keep them and their data safe.
Is DNS Filtering Hard to Use?
No. You don’t have to worry about the databases they use, and most providers will let you block sites by category, so you only have to determine what needs to be blocked to best serve your business’ needs.
Once the system is set up, you don’t have to do anything unless you decide to make changes. The services are held in the cloud, and if one DNS filter server goes down, a good provider will automatically route your traffic to a different one to prevent noticeable downtime.
IT may have to do some work to set firewall and admin settings to prevent users from circumventing the system. If you have outsourced or managed IT they will take care of this for you, and maybe able to recommend a service or specific tool that they like to use. They may also offer DNS filtering as part of an overall cybersecurity package.
Bear in mind that DNS filtering should be part of your overall cybersecurity stack. It’s not something that you can completely rely on, especially with the growth of social engineering type attacks and the speed at which crooks can move. However, it can help protect your company’s data from mistakes made by employees.
If you need overall, ongoing assistance with your company’s IT and cybersecurity needs, contact Applied Innovations today. We can help you with DNS filtering and other security services such as OS patching, service monitoring, and centralized malware protection. You need the best cybersecurity options available, even if in-house IT is beyond your reach, and we can help.