DNS filtering: What is it and why do companies use it?
By N‑able
The Domain Name System (DNS) makes it possible for users to access websites using domain names, like wikipedia.org, in place of nine-digit IP addresses. Due to its ubiquitous nature, DNS can be used to block access to selected websites, which is commonly known as DNS filtering. Many companies see security and productivity benefits from implementing this strategy where appropriate. Read on as we explore some of the key details around how DNS filtering works and how it can be beneficial.
How does DNS filtering work?
To understand how DNS filtering works, it helps to first review the basics.
Every domain purchased from a domain register and hosted gets assigned a unique IP address that will allow that site to be located. Whenever you try to reach a website, a DNS query is automatically performed. That query involves your DNS server looking up the domain or IP address in its internal “phonebook.” Once located, the server lets your browser connect to the web server hosting the site. From there, the page can be loaded, giving you full access—all in a fraction of a second. As with anything, problems can occur in this process—check out our DNS troubleshooting blog for more information and helpful tips if you run into issues.
If you have DNS filtering in place, things get a little more complicated during the query. Instead of the server simply returning the IP address as long as the website exists, the request gets subjected to a few extra controls to help ensure the site is safe, and access is permitted through your organization.
In this case, the DNS server uses blocklists—as well as previous crawls of new sites—to determine if access to the one in question is permitted. If the site hasn’t been crawled or categorized before, the server will assess the web content in real time to determine if it is malicious or otherwise violates predefined policies. If this is the case, instead of connecting, the browser will redirect to a local IP address displaying a block page that explains why the desired site cannot be accessed. Alternatively, some companies choose an opposite approach creating specific allowlists. In that case, DNS filtering will block any IP address or domain not explicitly on the list.
Be sure to also read our guide, where we specifically focused on DNS blocking and how it relates to overall cybersecurity.
Reasons to use DNS filtering
No matter how many cybersecurity measures you take and how much awareness training you give to employees, mistakes can happen, putting your company’s devices and network in danger. Effective filtering can strengthen a company’s default level of cybersecurity. Although there’s no way to ever completely eliminate the chances of a user connecting to a malicious site—bad actors are constantly creating new web pages that have yet to be reviewed and marked, meaning they have a better chance of slipping through—it is possible to block the vast majority of threats.
Another reason to use DNS filtering is to keep people from accessing certain categories of websites through your internet, whether for productivity or regulatory purposes. By creating an acceptable usage policy (AUP) and setting it up with your ISP, you can keep users from accessing everything from gaming and gambling sites to social media and adult content sites while on your network. In some cases, organizations must have filtering in place to comply with regulations —for instance, schools and libraries in the U.S. should have ways to prevent access to material that is objectionable or harmful to minors.
It can be possible to bypass DNS filtering controls. In some cases, this means admins can temporarily remove the block. However, it’s also possible a highly motivated employee could set up a proxy server or even change DNS settings at a local level to achieve access. That’s why it’s important to set up the service correctly and use tools designed for these contingencies.
Combining ease and security
Another common question is whether this process will cause slowdowns in accessibility. The good news is that DNS filtering is low latency, which means you can gain all these benefits without any delay in accessing safe sites. If you’re looking for a way to make sure people on your network are only connecting to safe, permitted websites, this is the answer.
DNSFilter makes it possible
If you’re looking for a solution to try, we have good news. Here at N‑able, we’ve partnered with DNSFilter to offer our users next-generation protection against malicious sites, which will soon get integrated within the N‑able™ N‑central® remote monitoring and management solution.
For more details, be sure to head over to the following blog:
🡢 Sneak Preview: N‑able and DNSFilter Integration.
This document is provided for informational purposes only and should not be relied upon as legal advice. N‑able makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.