The Domain Name System (DNS) is a cornerstone of the internet. DNS servers connect URL names that humans can read to unique Internet Protocol (IP) addresses that web browsers can understand. Without DNS, we’d all be typing in long, seemingly random combinations of characters and numbers in order to get anywhere online! However, this dependency opens up the possibility for misuse. From domain hijacking and cache poisoning to Denial of Service attacks, DNS is no stranger to being attacked or even scarier, being an attack vector!
It’s not difficult to see why attackers would use DNS as an attack vector. Any application that uses the internet uses it, even though a majority of internet traffic is web content. This includes email, peer-to-peer sharing, RDP, SSH, etc. Fortunately, this crucial component of the internet can be used defensively as well. DNS filtering can prevent users from downloading malware without also blocking legitimate files by accident. Let’s explore how this process works and why it’s a useful tool for IT and security teams.
Methods for filtering malware
Malware is one of the major plagues of modern computing and many security providers spend ample time trying to prevent users from accessing malicious files on the internet. One of the easiest ways to keep users from downloading malware is to simply block access to servers hosting malicious files. There are companies whose entire purpose is to sell services that identify malicious actors. This is typically referred to as “Threat Intelligence.” Once you know which servers and sites are bad, the next step is to prevent users from connecting to them. There are multiple ways to do this, and they each have advantages and drawbacks.
It would be easy to simply block malicious sites based on IP address, but this usually isn’t practical. Unfortunately, modern server configurations allow a single IP address to host many different services. Also, many different domain names can map to the same IP address, which generally makes blocking bad sites by IP address too broad. In practice, this means IT ends up blocking legitimate websites and services along with the malicious ones, which frustrates users and makes it harder for them to accomplish their work.
On the other hand, filtering based on full URLs achieves greater fidelity against individual files served by web servers. This approach avoids the problem of blocking too many legitimate sites, but requires a lot of extra work from IT. Since URLs are application protocol-specific, this level of protection ends up requiring a unique filtering implementation per application protocol (HTTP vs FTP). Many businesses don’t have the resources to implement this successfully.
Not too broad, not too granular
DNS sits smack dab in the middle of the two methods described above. Filtering by DNS is more precise than IP address filtering, but not as work- intensive as URL filtering. For example, if malicious files are served up by only one domain name out of four that map to an individual IP address, blocking by domain name will not interrupt the other three domains (whereas blocking by IP address would interrupt all four domains). The level of precision that DNS filtering offers keeps organizations safe from malware without making IT departments seem “heavy-handed” and frustrating employees by unnecessarily blocking important sites and services.
DNS is also application protocol agnostic, so blocking by domain name will block connections to malicious links no matter which application initiates the connection. There are very few applications today that don’t connect to the Internet, and they all resolve human readable names into IP address. For example, regardless of whether you read your email using a thick client like Outlook or use a web UI like Gmail, clicking on a malicious link will result in the same resolution of the same name. The same goes for documents.
Clicking on a malicious link in Acrobat Reader or Microsoft Word results in the same resolution of the same name regardless of document type or application. That means DNS-level filtering will block malicious links in all of these scenarios without needing to be customized to the specific application or protocol in use. With workers accessing corporate data from multiple devices, checking email on their phones and using applications that IT might not even know about, the flexibility provided by DNS filtering is extremely useful.
DNS filtering considerations
In security, it’s important to remember that no single solution is foolproof and DNS filtering is no exception. Servers using custom application protocols on odd ports to perform malicious activity like botnet attacks usually require IP address blocking. Malicious activity on non-Web protocols like SMTP require full domain name blocking.
Lastly, malicious content hosted on a file sharing or content delivery network requires full URL blocking because most of the content on the CDN is legitimate. No one level of network blocking is foolproof either. As every seasoned security professional knows, the best security is layered security. Therefore, the best network blocking solutions will allow filtering at all three network levels: IP, Domain and URL.
One of the other advantages of DNS filtering is that many solutions available on the market integrate seamlessly into your current infrastructure. Instead of pointing your internal DNS server to your ISPs upstream DNS server, you point it to DNS servers from these solutions that provide protection.
Putting it all together
DNS is incredibly important to everything we do on the internet in our daily lives. The old method of blocking by IP address is inadequate, as many individual servers can serve up many different, mostly legitimate services. And even though we do just about everything in our web browser, blocking by URLs can be too narrow. The gap left over can be filled by blocking by domain names.
Remember, because of our heavy reliance on the internet, DNS-based filtering is essential for businesses today since it removes an avenue of attack that you couldn’t close down otherwise.