GoodAccess logo
News: Introducing Threat Blocker for Online Protection.
Join our webinar on March 30
hosted by our CEO, Michal Cizek.

DNS Filtering Explained: How it works and its usage

DNS filtering is a security technique that protects against malware by blocking access to malicious sites. It is a kind of automated access control that allows companies to protect against data theft and prevent harmful content from being downloaded to user devices.

GoodAccess DNS filtering - how it works

Table of Contents

What is DNS?

DNS stands for Domain Name System. It refers to the translation of domain names to the appropriate IP addresses.

A domain name
is what you see in the address bar (URL window) of your web browser; in this case it says goodaccess.com. Domain names are easy for humans to understand and remember, but machines use numerical IP addresses to know where to send traffic. This means that before you can access content on a website or an online application, your device has to retrieve the IP address via a series of steps collectively known as DNS resolution.


What is DNS resolution?

DNS resolution is how your device obtains the IP address of the server it is trying to access.


Once your device receives the correct IP address, the domain is resolved.


DNSSEC

DNSSEC, or Domain Name System Security Extensions, refers to a number of security improvements that patch up some vulnerabilities of the domain name system and protect it from misuse.

Attackers may exploit DNS by “listening in” on the communication and intercepting information like email addresses, eavesdropping on phone conversations, or redirecting users onto fraudulent and phishing websites. DNSSEC counters this by implementing asymmetric cryptography, i.e., by encrypting and decrypting the communication with a different key.

DNSSEC significantly improves the security and trustworthiness of a domain, however, the vast majority of the public internet still operates on insecure DNS. It is therefore sensible that companies looking to secure their communications turn to other solutions, such as DNS filtering.

What is DNS filtering?

DNS filtering, also known as DNS blocking, is a security technique based on blocking access to malicious, disreputable, or otherwise unwanted domains. When a user tries to access a domain, the query is compared to a blacklist of unwanted domains or IP addresses, and if there is a match, the domain will not be resolved and access prevented.

For example, a user who has clicked on a phishing link in a fraudulent email would get automatically redirected to a malicious site, which may install malware or steal access credentials. However, if this domain is blacklisted in the DNS resolution service, the attack would be automatically blocked.

GoodAccess Dashboard - DNS filtering

Fig 1: An example of DNS filtering settings in GoodAccess cloud VPN settings.

What is a blacklist?

In networking terms, a blacklist (or blocklist, denylist) is a list or database of domains or IP addresses where access is prohibited. These sites may be known for malware distribution, sharing bootleg copies of copyrighted materials, serving as C&C botnet servers, or hosting adult or otherwise undesirable content.

The opposite of a blacklist/blocklist is a whitelist/allowlist. As the name suggests, a whitelist allows access to any listed domain, even if such a domain were on a blacklist. Whitelisting is therefore reserved for highly trusted domains only.

What is DNS filtering used for?

There are three primary use cases for DNS filtering.

Blocking malware-hosting websites

DNS blocking is often the first line of defense against a malware infection. Users can be tricked or redirected onto a malicious site from where malware would be downloaded onto their device. From there, it can spread through the rest of company infrastructure and, if left unchecked, eventually cripple company operations.

This is why DNS filtering is a sensible preventive countermeasure helping to prevent data breaches.

Blocking phishing sites

Phishing protection is a related use case where attackers try to scam employees into giving up their access credentials by directing them to a legitimate-looking website asking for a password and username. These sites often look visually indistinguishable from the real ones, but their domain names and IP addresses are of course different.

In this sense, DNS filtering acts as a safety net for employees who may unwittingly fall for a phishing lure (read more about phishing here).

Blocking prohibited websites

The last use case has to do with enforcing content policies. You can use DNS filtering to deny access to sites hosting adult content, sharing copyrighted content (e.g. bittorrents), or offering gambling services. Productivity-oriented companies may even choose to block social media, entertainment sites, and other distractions.

How do you enable DNS filtering/blocking?

There are several ways to implement DNS filtering depending on the technology you choose to carry it out. You can block access on your:

How does GoodAccess implement DNS filtering?

GoodAccess provides a DNS filtering service as part of the VPN gateway. It runs its own DNS infrastructure that handles all DNS resolutions for every connected client. This infrastructure includes categorized blacklists containing domains that host malicious sites, C&C servers, phishing sites, and abuse sites.

When a user attempts to access a blacklisted domain, GoodAccess does not resolve the domain but blocks the attempt, logs the activity, and redirects the user to a safe site explaining what has happened. If, for example, the user falls for a phishing lure, instead being prompted for login credentials, they are informed of the malicious presence on their device without any harm done.

This is an efficient way for the team admin to know that something bad is afoot in the network that could be an early indication of a malware infection that needs to be removed.

GoodAccess uses  a combination of blacklists from multiple security authorities, which are refreshed hourly.

GoodAccess - DNS filtering - blocked website access

Fig 2: A message informing the user of a domain being successfully blocked.

If you need to restrict access to sites that are not implicitly featured on the default blacklists, for instance if you want to prevent employees visiting productivity sinks, you can add the domain in GoodAccess manually, or import your own blacklist as a CSV file. If you want to try out GoodAccess DNS filtering capabilities, and other remote access and security features, check out the full-featured 14-day free trial here.