How Does DNS Filtering Work?

In this post we answer some commonly asked questions about content filtering, such as what is DNS filtering?, how does DNS filtering work?, and why is DNS filtering now an essential part of an organization’s security stack?

What is DNS?

DNS is short for Domain Name System and it solves a simple problem. If you want to visit a website, you need to know the name of that website and must enter it into the address bar of your browser. For example, www.hipaaguide.net.

The problem is while that domain name is easy for humans to recognize, it means nothing to a computer. For a computer to find that domain, an IP address is required. An IP address is a string of digits specific to a particular website that tells your computer where to find it. Domain names are for humans. IP addresses are for computers. DNS converts one to the other and basically serves as a phone book. You look up a name (domain name) and the DNS server tells your computer the number (IP address) to allow that website to be found. That means you do not need to remember a string of digits to access a particular website.

When you type in a domain into your browser or click a link in a search engine or email, a connection will be made to a DNS server, the IP address will be found, and you will be directed to the website. Your DNS server will usually be provided by your internet service provider, but not necessarily.

What is DNS Filtering?

DNS filtering is the term given to blocking access to specific domains or webpages at the DNS lookup stage. DNS filtering is used by internet service providers and many businesses to block access to specific web content. An example would be an internet service provider blocking access to websites known to host child pornography, or other content that is illegal to view in your country. A business may want to block access to other types of content that violate its acceptable internet usage policies, such as adult content, social media networks, and websites known to host malware. DNS filtering therefore protects users and their devices, network owners, and helps ISPs comply with government regulations.

How Does DNS Filtering Work?

Traditionally, content control was achieved using a physical appliance. When a user attempts to visit a website, the appliance will download the content and decide whether the website can be accessed or if it should be blocked. DNS filtering works at the DNS lookup stage, so no content is downloaded. That makes DNS filtering much quicker and safer. Instead of using an ISP domain server, or Google or OpenDNS, your DNS server will be changed to the DNS filtering service provider.

When a request is received, the browser will consult the system host file. This is a text file that contains the IP addresses of domain names. If the IP address is not present, the DNS server will be contacted, and a lookup will be performed. The IP address will be returned and the browser will be directed to the correct IP address.

When DNS filtering is in place, before the user can access the website, certain controls will be applied. The DNS filtering service will check to make sure the IP address is not present on any blacklists. These will be maintained by the service provider or third parties. In the case of the latter, one of the most common is the blacklist maintained by the Internet Watch Foundation, which contains IP addresses associated with child sexual abuse content. The service provider’s blacklists will include IP addresses associated with malware and phishing. Since all website content is categorized by the service provider, user defined content controls are also applied and content is blocked by category or, in some cases, search terms and keywords on the webpage.

If the request violates any user-defined policies or the webpage is blacklisted, the request will be denied, the user will not be connected to the site, the attempt to access the IP address will be logged, and the user will be directed to a block page.

Since there is close to zero latency with DNS filtering, there will be no perceivable delay in connecting to a permitted site or the block page if the request is denied.

Why is DNS Filtering Important for Security?

Cybercriminals are constantly setting up new webpages that host malicious content. These include webpages that that ‘phish’ for information such as login credentials, Social Security numbers, and other sensitive data. Websites are loaded with exploit kits that probe computers for vulnerabilities that can be exploited to download malware and ransomware. Malware downloads can also be triggered by visiting a website even if no vulnerabilities are found.

DNS filters serve as an important security mechanism to block access to malicious websites. DNS filters can be also be configured to block the download of files (or certain file types) from the internet to further protect against malware.

The system is not perfect, as in order for a site to be blocked it must first be categorized and determined to be malicious. There will be a delay between a new webpage being created and it being assessed and categorized. DNS filtering service providers regularly scan websites and webpages to keep their blacklists and categorizations up to date but there may be a short delay as the internet contains around 1.5 billion websites and around 130 trillion webpages and new webpages are constantly being created.

A DNS filter can be bypassed using a VPN or anonymizer service that changes the DNS server, but most DNS filtering solutions can be configured to block these anonymizer sites and VPNs.

So, while it is not possible to block 100% of attempts to visit malicious websites or sites that violate company policies 100% of the time, DNS filtering will block the majority of those attempts and will keep users and businesses protected.

Due to the sheer number of malicious websites now being created, and the fact that businesses are being targeted by cybercriminals, DNS filtering is very important for security and should be part of any business security stack.