Firewalls and web filtering are essential to protecting your organization’s networks against unsafe websites. DNS filtering or DNS content filtering is one of the most effective ways to filter every connection request users on your network make with the internet. It provides a customizable and flexible method to block access to certain domains based on a variety of logical parameters. In particular, there are three approaches that work most effectively.
The Most Effective Approaches to DNS filtering
A Domain Name System (DNS) is a phonebook-like directory of existing domain names, comprising entries for all websites present on the internet. The DNS stores the web address of each website in a machine-readable format, also known as the IP address of that website.
DNS Filtering involves manipulating which websites can be found—or, more accurately, not found—to ensure that only safe and appropriate websites and locations are being accessed.
Three of the most effective ways to integrate DNS filtering into your security systems are:
- Manual DNS filtering solutions, for smaller businesses or individuals
- Automated DNS filtering tools, for businesses targeting growth
- Managed DNS filtering services, for larger enterprises
Using some combination of these is the best way to control which websites individual users are able to access. But to get the most out of them, it’s critical to understand how they work.
Small Scale: Manual DNS filtering
Individuals and smaller businesses, such as start-ups, may begin their DNS filtering journey with manual methods. Internal IT staff can configure basic DNS blocking for websites and other locations that are known to be dangerous. They will also need to install measures to anticipate and prevent workarounds; ideally, these processes should be automated.
The primary benefit of this approach is its relatively low barrier to entry. Its only costs are those associated with recruiting, training, and retaining staff to install and maintain the controls. This is the most rudimentary approach, but it still requires extensive IT expertise, such as a deep, practical understanding of DNS lookup functionality and countermeasures.
This method may be simple to install for a small organization, but it will be difficult to manage as your business grows. Scaling organizations will face exponentially more risks as staff and networks of third parties grow, with manual management quickly becoming unfeasible.
Soon, you’ll need to consider whether to implement one of the options listed below.
Manual Filtering Pain Point: Phishing
One major drawback of manual solutions to DNS filtering is the lack of flexibility and coverage beyond basic website filtering. Namely, this approach is ill-equipped to mitigate phishing attacks, which account for a staggering 98% of all cyberattacks. With attackers targeting organizations with increasingly sophisticated phishing scams, the best filtering solutions should integrate protections for email, SMS, and other communication methods.
Manual DNS filtering may block most of the attempts to bait employees into visiting illicit websites. However, the most advanced attacks are designed to avoid basic web filters.
Medium-Scale: DNS Filtering Tools
Growing businesses should seek out DNS filtering software designed to automate and optimize the filtering and blocking processes. It offers significantly more protection and scalability compared to manual solutions. But depending on the tool, costs can vary widely.
The two primary kinds of solutions most organizations should consider are:
- Open-source filtering tools – Free DNS filtering or web filtering software that is most apt for small-to-medium businesses, such as ClearOS, Untangle, or Squid.
- Proprietary filtering tools – Products based on closed software offered by trusted leaders in the industry, such as consumer-grade OpenDNS filtering solutions. These are best suited to growing businesses that anticipate a large scope of web traffic.
Note that all OpenDNS content filtering products are now distributed by Cisco, which acquired OpenDNS in 2015. The consumer-level suites have retained OpenDNS branding, whereas their enterprise products carry Cisco Umbrella branding. For many of these more robust programs, installation and maintenance of the software can be resource-intensive.
Large-Scale: Managed DNS Filtering
The best approach for larger businesses, or those scaling rapidly, is leveraging a managed security service provider (MSSP) to coordinate all DNS content filtering. Working with a trusted cybersecurity partner facilitates initial implementation and integration of your web filter and other firewall infrastructure, along with long-term maintenance and adjustments.
An additional benefit of working with a DNS filtering service provider is organization-wide cybersecurity awareness training. The best MSSPs will design and conduct training programs to educate your staff on how the filter works and what they need to do to contribute to your culture of security. Your MSSP may also periodically assess your filtering solution to ensure it’s patched, updated, and delivering on—or exceeding—expectations.
DNS Filtering Compliance Considerations
If your business generates, stores, processes, or otherwise comes into contact with sensitive data, you may be subject to cybersecurity regulations. Regulatory authorities may explicitly require robust DNS content filtering, or it may be a best practice for compliance.
For example, if your business handles protected health information (PHI) subject to HIPAA, you’ll need to configure firewalls and filters that prevent inappropriate use and disclosure of PHI. Or, if you process credit card transactions or cardholder data (CHD), you’ll need to configure firewalls and web filters in compliance with the PCI DSS framework.
In any case, managed services empower the most effective filtering.
How Does DNS Filtering Work?
DNS content filtering works similarly to—and in conjunction with—firewalls.
When a user enters a domain name in a browser window, the DNS resolves it into the corresponding IP address that is unique for every domain name, similar to the 192.168.1.1 address you would use to access your router’s settings from a web browser. From this point, there are two common configurations that the DNS filter will use to grant or deny access:
- Deny list – Also known as a “blacklist,” this system’s logic is “allow all except.” Any website is accessible unless it appears on the list. This list may be informed by internal or external threat intelligence, and it is subject to change over time.
- Allow list – Also known as a “whitelist,” this system operates on the principle that only websites specifically marked as acceptable are accessible. The list may be determined manually or by a combination of automated and manual inputs.
With the appropriate DNS filters in place, whenever a user queries any domain name, the DNS filter will first convert the entry into its IP address and check it against the existing rules.
The most effective DNS filtering systems, like Cisco Umbrella, function as an extra layer on top of (or, more accurately, beneath) your firewalls. They are configured to hunt specifically for content that is designed to bypass firewalls. Working with a quality MSSP ensures that the filter, and all other systems it is connected to or impacts, are operating effectively.
Optimize Your DNS Filtering with RSI Security
If your organization is in the early stages of cybersecurity development, you may find that one of the smaller-scale approaches to DNS filtering meets your current needs. However, over time, you will likely be faced with rapidly growing risks that make DNS content filtering maintenance overly burdensome for your internal personnel. That’s where we come in.
RSI Security offers a range of proactive web filtering services, focusing primarily on the OpenDNS enterprise suite, Cisco Umbrella. Our experts specialize in all elements of DNS filtering management, including initial installation, ongoing maintenance, and tailored training programs. We’ll help you rethink your approach to DNS filtering and optimize security ROI.
Contact RSI Security today to learn more about optimal DNS filtering requirements.