A Guide to DNS Filtering - Under the Covers

DNS is both an interpreter and roadmap for the Internet. Users love friendly names while their devices and favorite websites utilize IP addresses. DNS maps friendly names to IP addresses. Normally, when the browser queries a DNS server, an IP address is returned, allowing the browser to open the website at the specific IP address. This process is duplicated for cloud applications and web protocols as well.

DNS filtering is designed to combat malware, spam, child pornography and other dangerous sites on the web. In those cases, the DNS server filters the request and blocks it rather than return an IP address. It is also useful for organizations that want to protect internal assets by blocking known malicious sites. This function is normally conducted at the router level by blocking IP addresses or filtering ports. For those without the luxury of high-end routers, DNS filtering is great alternative.

How important is DNS in security?

Due to its critical function within both the Internet and the enterprise, DNS is a primary target for hackers so securing it is imperative. An effective security strategy entails not only blocking malicious queries but also servicing good queries as well. DNS plays a judicious role in a layered network security strategy in which multiple approaches to cyber defence are required. This multi-tiered approach reduces the possibility of a successful hacking attack.

Is DNS Filtering Really the Answer?

In recent years, government bodies have attempted to introduce new ways to protect victims at the source of Internet traffic. Unfortunately, these standards are legislated by people who do not fully understand the implications of their actions. The Internet already uses a myriad of web filtering options. Organizations filter at the router level while search engines use heuristic methods to detect IP addresses that host malicious content. Web filtering software and antivirus programs block websites and downloadable suspicious content using executable footprints. All of these methods have collaboratively worked well but attackers are constantly looking for ways to circumvent protection.

DNS remains a vulnerable highly targeted component for exploits and cyberattacks. For instance, DNS replies can be spoofed, or created with false information, to redirect users from legitimate sites to malicious websites. Targeting the exploits of cybercriminals however is challenging at best due to the scalability of the Internet. Attackers constantly register new domain names and move to "clean" neighbourhoods. As soon as any security method detects malicious activity and shuts it down, these criminal chameleons simply move to a new location that remains undetected for a while before the cycle repeats itself.

DNS filtering should be an important component of your network security strategy used in conjunction with port monitoring, intrusion detection systems, web filtering software, intrusion prevention systems, antivirus, and firewalls. Together, these necessary layers work cohesively to create a functional and effective security protection system.

DNS Filtering is not without its critics however who point out some of its inherit disadvantages:

  • It is not bulletproof. Malicious attackers are clever enough to get around it.

  • Users can use proxies to hide their original IP and gain access to the DNS queried IP address.

  • Modification of the DNS protocol could lead to unforeseen security issues and technical bugs.

For more information about DNS myths visit this recent blog post: 4 Myths about DNS Filtering and some truths

No system is of course bulletproof, and while it is true that cybercriminals are constantly changing domain names, solutions such as WebTitan DNS Filtering are highly effective in countering their cloaking efforts. WebTitan does this by categorizing an estimated 60,000-malware and spyware domains per day, tracking down dangerous sites and blocking them.

A schematic illustrating this process is shown below :

Examining DNS Structure

The Domain Name System (DNS) was designed to make it convenient for the public to use the Internet. As mentioned earlier, it translates domain names to the matching IP addresses of the hosted devices. DNS allows us to use http://www.google.com instead of to initiate a search. In short, it is the Internet's primary directory service.

The DNS system that services the Internet is a distributed system anchored by a collection of root name servers that are dispersed throughout the world. Under the root servers are top-level domains, (.com, .org, .net) followed by second level domains (google, TitanHQ, Microsoft). These domains form DNS zones, which may consist of one or more domains (for example, google.com is a domain). A set of authoritative name servers are assigned to each DNS zone. An authoritative name server can be either a master or a slave server. A master contains the original read/write copies of zone records while a slave maintains only readable copies of the master records that are updated through replication.

DNS servers use TCP port 53 for zone transfers in order to keep slaves synced with the master zone file. Intruders can use this mechanism to download the contents of a name server’s zone file. To prevent this, administrators should block zone transfer requests from any device that is not an authorized slave name server. Port 53 is often used to tunnel unauthorized traffic and suspicious traffic should be scrutinized.

What is Reverse DNS?

A reverse DNS lookup or reverse DNS resolution (rDNS) is the querying of the Domain Name System (DNS) to determine the domain name associated with an IP address – the reverse of the standard "forward" DNS lookup of an IP address from a domain name.

This is often useful in determining the legitimacy of an IP. For example, one of the content tests carried out by the SpamTitan spam filter is to match forward and reverse DNS entries, ensuring that the A records, IP and PTR record match accordingly.

The Association of DHCP and DNS

For IPv4, DNS is most often tightly integrated with Dynamic Host Configuration Protocol (DHCP). A DHCP server automatically provides IP addresses to DHCP enabled clients as well as other information such as the identity of DNS name servers. The security of DNS therefore requires protecting your DHCP infrastructure. Depending on IPv6 network configuration, DHCP may or may not provide DNS information as Router Advertisement (RA) message provides this information instead.

DNS Attacks

DNS is a double-edged sword largely because of the insecure nature of the DNS infrastructure, making it vulnerable to these types of attacks:

  • Dynamic DNS (DDNS)

While DDNS serves a legitimate function of allowing address of a domain name to change quickly and host serves on temporary addresses, it is abused by botnet operators and phishers who change address rapidly to avoid detection

  • Fast Flux DNS

This is another way in which cyber criminals can rapidly alter DNS addresses in order to hide malware and phishing delivery sites behind an ever-changing network of compromised hosts acting as proxies.

  • Packet Amplification

This technique is referred to as a Smurf attack (named after the DDoS Smurf malware). It is a distr