In the workplace certain web pages can be a distraction to productivity—or worse, a disruption. As managed service providers (MSPs), some of your customers may be interested in finding a way to control the types of websites their employees can access during the workday. One viable option for them is to utilize a DNS block to restrict access to certain web addresses on a given server.
For MSPs whose customers are interested in deploying a DNS block, this article will cover some common questions customers may have, including how DNS blocking (also known as DNS filtering) works and what to consider when implementing a DNS block.
What is a DNS block?
A DNS block is a server-based mechanism that allows users to prevent certain web pages from being accessed on their server. The technology was originally designed to help defend against spam and phishing attacks by blocking known suspicious IP addresses. Today, DNS blocking serves a variety of purposes—some people use it as an antipiracy safeguard, while others use it to prevent access to infected or addictive sites (like gambling) in the workplace.
The basic function of DNS blocking software is simple—it serves as a gateway between the web server and your personal server, ensuring your browser doesn’t recognize the blocked IP address and cannot access the website’s server.
Who uses DNS blockers?
With businesses across industries now spending a large portion of the workday on the internet, DNS blocking has evolved from its original role as an anti-spam device. Today, organizations can utilize DNS blocking to prohibit access to disruptive or distracting sites in the workplace—from gambling site to social media sites. Many DNS blocking programs allow users to adjust their blocks to specify what types of sites they want to restrict, so certain users might have more flexible safeguards.
Because DNS blocking is a server-based identification system—not a software—it’s applicable to multiple devices across your network. This means smartphones, tablets, and other devices connected to your network can be governed by your DNS blocks, too.
How does DNS blocking work?
To understand fully how DNS blocking works we need to take a step back. Every web page’s IP address—the multidigit identification code—is the site’s most essential nametag on the home server. But the IP address is simply not practical for a user to enter every time they wish to access a web page. If you are looking for Twitter, for example, it would be quite impractical to search for its IP address—188.8.131.52—each time you wanted to reach the home page. DNS—or the domain name system—is the process of naming websites in human language as opposed to their numerical IP addresses.
Created in 1983 to help make the internet more intuitive for everyday users, DNS essentially acts as a telephone book that links the “reader-friendly” domain name to its less reader-friendly IP address. (All the “translating” is done in the background by your servers.)
A DNS block works by removing the IP address name from the “phonebook” on your server. For example, if you were to block Twitter using a DNS blocker, your server would intentionally forget the name assigned to 184.108.40.206. As a result, DNS blockers disable your server from locating particular web pages. To block whole genres of web pages, like piracy sites, DNS blocking services can set your server to forget large swaths of IP addresses that fit certain criteria. This breaks the communication between the IP server and the user’s device.
This way, DNS blocking can be a quick and easy way to prevent staff accessing malicious or unwanted web pages with negligible overheads and no physical hardware.
Is it safe to use OpenDNS?
One of the most popular free DNS tools is OpenDNS. The free versions do not install new hardware or software into your device, so using OpenDNS has very few associated security risks. However, if you are using a third-party server to bypass OpenDNS, you must always be aware of the possibility of malware or bad actors interfering with your data transmission.
OpenDNS itself uses a long list of well-protected servers around the world that will not interfere with personal data. Utilizing OpenDNS can certainly be much safer than not using a DNS blocking program at all, and many users effectively employ OpenDNS to block malicious sites, even if they have no reason to screen out NSFW content.
Things to consider when using OpenDNS
When using OpenDNS, it’s important to understand your boundaries. If you’re only interested in blocking malicious websites with threat detection, you might want to make sure to customize your program on a lower security setting. If you’re interested in blocking a wider range of sites, you need to understand that other, more knowledgeable users could still subvert these safeguards through DNS readdressing and proxy servers.
This doesn’t mean users who subvert OpenDNS are undetectable—for a business with OpenDNS in place, network activity can still be detected on your server. But, if you have serious concerns about potential bad actors within your system, it’s important to be aware of the potential of OpenDNS bypass. This means you might want to keep track of security threats through additional security software.
SolarWinds MSP offers a variety of security monitoring features, which can monitor data logs as well as network activity. SolarWinds Threat Monitor, for example, provides advanced threat detection and monitoring for you to track activity. Threat Monitor uses an alert system to notify you if any unusual activity is detected in login data or network access events. If you are managing IT for a company with serious network security concerns, it may be advisable to invest in a more comprehensive security toolbox.
It’s important to stress to customers that no DNS blocker is 100% foolproof, although many of them come close. As a best practice, businesses might find it helpful to couple a DNS blocker with an established protocol regarding the types of webpages employees shouldn’t be visiting at work.
Read through our blog for other common questions and concerns with DNS-related issues.