In the workplace, certain web pages can be a distraction for employee productivity—or worse, a disruption. If you’re a managed services provider (MSP), your customers may be interested in finding a way to control the types of websites their employees can access during the workday. One viable option for them to utilize is a DNS block to restrict access to certain web addresses on a given server.
This article will help you understand what DNS block is, who uses it, and how it works. We’ll also touch on some topics related to DNS security in general, including best practices and key terms, to give you an idea about some of the related threats to cybersecurity.
What is a DNS block?
A DNS block is a mechanism that allows you to prevent access to certain web pages on the server. The technology was originally designed to help defend against spam and phishing attacks by blocking known suspicious IP addresses. Today, it serves a variety of purposes—some people use it as an antipiracy safeguard, while others use it to prevent access to infected or addictive sites (like gambling) in the workplace.
The basic function of DNS blocking software is simple—it serves as a gateway between the web server and your personal server, ensuring your browser doesn’t recognize the blocked IP address and cannot access the website’s server.
Who uses DNS blockers?
With businesses across industries now spending a large portion of the workday on the internet, DNS blocking has evolved from its original role as an anti-spam device. Today, organizations can utilize this capability to prohibit access to disruptive or distracting sites in the workplace—from gambling sites to social media sites. Many DNS blocking programs allow administrators to adjust their blocks to specify what types of sites they want to restrict, so certain users might have more flexible safeguards.
Because DNS blocking is a server-based identification system and not a software application, multiple devices across a given network—including smartphones, tablets, and other devices—can be governed by DNS blocks, too.
How does DNS blocking work?
To understand fully how DNS blocking works, we need to take a step back. A web page’s IP address—essentially a multidigit identification code—is its primary nametag on the home server. But IP addresses are not practical for users to enter every time they wish to access a web page. If you are looking for Twitter, for example, it would be quite impractical to search for its IP address—126.96.36.199—each time you wanted to reach the home page. DNS—or the domain name system—is the process of naming websites in human language as opposed to their numerical IP addresses.
Created in 1983 to help make the internet more intuitive for everyday users, DNS essentially acts as a telephone book that links the user-friendly domain name to its more technical IP address. (All the “translating” is done in the background by your servers.)
A DNS block works by removing the IP address name from the “phonebook” on your server. For example, if you were to block Twitter using a DNS blocker, your server would intentionally forget the name assigned to 188.8.131.52. As a result, blockers disable your server from locating particular web pages. To block whole genres of web pages, like piracy sites, DNS blocking services can set your server to forget large swaths of IP addresses that fit certain criteria. This breaks the communication between the IP server and the user’s device.
This way, DNS blocking can be a quick and easy way to prevent staff from accessing malicious or unwanted web pages with negligible overheads and no physical hardware.
Top tips for DNS security
As you can see, DNS plays a critical role in facilitating modern web traffic and thus becomes, understandably, a common target for cyberattackers. Utilizing DNS blocking is considered one of the many best practices that can have a large impact on overall cybersecurity.
Read on as we explore some other tips on DNS security that will help you prevent threats originating from this common source.
- Use redundant DNS servers to increase availability
DNS is a fundamental part of how network applications, like Active Directory, file sharing, and email services operate—phrased another way, this means MSPs need to guarantee that their customers’ DNS infrastructure is highly available.
Redundancy requires, at minimum, a primary and secondary DNS server to keep business-critical service functional. This allows one server to take over in the event that the other encounters an error, increasing infrastructure availability and reducing the risk of failures.
- Hide DNS servers and DNS information
As with other aspects of IT management, DNS servers should be treated according to the principle of least privilege—that is, they should only be accessible to the specific end users who use them. Your primary server should be hidden from view and restricted to system managers and authorized IT personnel.
- Use DNS logging
The most efficient way to monitor DNS activity is to use logging, which can reveal issues with client activity, queries, updates, and more. Debug logs can also be used to identify cache poisoning (also called “DNS spoofing”—more on this below), a technique that allows cybercriminals to alter information stored in a user’s cache, causing the server to redirect them away from a legitimate site they’ve previously visited toward a malicious one instead.
- Enable DNS cache locking
After enabling debug logs, the next step is to lock the cache. Whenever DNS receives a query, it retrieves and stores the proper data in the cache for future use, which significantly reduces the server’s response time for the same queries. However, as mentioned above, hackers can use the cache as an attack vector for gaining entry to your systems.
Locking the cache helps to prevent this by restricting when the stored information can be altered, thereby preventing it from being overwritten before the TTL (time to live) expires. Cache locking may be enabled by default and can be scaled to block overwriting the data for a specific percentage of the TTL.
Key DNS security terms to know
Looking to better understand some of the key terms and acronyms related to securing your DNS? You’re likely to encounter one of the following:
- DNSSEC: Domain Name System Security Extensions (DNSSEC) is a DNS feature that authenticates the responses to queries for domain names by using digital cryptographic signatures. DNSSEC can prevent cyberattacks from altering these responses but does not otherwise offer privacy protection.
- DNS spoofing: This kind of attack occurs when DNS request information is modified to redirect end users to an imposter website designed to trick them into entering their login credentials. Many of these websites also install viruses onto the user’s device to provide hackers with long-term access. Read more about DNS spoofing on our blog.
- DNS tunneling: This is a form of cyberattack that embeds information from other programs or protocols into DNS queries and responses, bypassing firewalls in the process. Typically, a tunneling attack will include data payloads that, when sent to a compromised DNS server, can enable a hacker to remotely control the server and the applications it’s running. Tunneling requires access to an internal DNS server that has network access, but many cybercriminals bank on businesses and organizations not examining their DNS traffic because it’s such a well-known and trusted protocol, which makes hardening your customers’ networks all the more necessary.
- DNS cache: The DNS cache is temporary local storage of data retained from previous DNS lookups. The cache allows an operating system or web browser to retrieve a site’s IP address far faster. Here’s an article on our blog to help you get a better understanding of DNS cache.
- Dynamic DNS: Dynamic DNS (DDNS) is a method of keeping your DNS nameservers automatically updated in real time, including information like the active DDNS configuration’s host names and addresses. Check out this N-able blog post to learn more about dynamic DNS.
- DNS over HTTPS: DNS over HTTPS (DoH) is a protocol that allows you to remotely resolve lookups using HTTPS. By encrypting the information sent between the DoH client and its DNS resolver, DoH stops would-be intruders from accessing or altering DNS data.
With these best practices and key terms under your belt, you’ll be prepared to handle DNS services for your customers and better prevent common security issues.
Be sure to also read our comprehensive guide on steps to troubleshooting DNS issues.