Before diving into what DNS content filtering is and why your business needs it, I think it wouldn’t be a bad idea if we talked a bit about something we all use (even you and me, when I wrote this article and when you read it), but I’m not sure we completely understand – the Internet.
Well, as Chris Woodford mentions on his website, https://www.explainthatstuff.com/, the Internet functions through TCP/IP,
[…] which stands for Transmission Control Protocol/Internet Protocol. It’s the Internet’s fundamental “control system” and it’s really two systems in one. In the computer world, a “protocol” is simply a standard way of doing things—a tried and trusted method that everybody follows to ensure things get done properly. So what do TCP and IP actually do? Internet Protocol (IP) is simply the Internet’s addressing system. All the machines on the Internet […] are identified by an Internet Protocol (IP) address that takes the form of a series of digits separated by dots or colons. If all the machines have numeric addresses, every machine knows exactly how (and where) to contact every other machine. When it comes to websites, we usually refer to them by easy-to-remember names (like www.explainthatstuff.com) rather than their actual IP addresses—and there’s a relatively simple system called DNS (Domain Name System) that enables a computer to look up the IP address for any given website. In the original version of IP, known as IPv4, addresses consisted of four pairs of digits, such as 184.108.40.206 or 220.127.116.11, but the rapid growth in Internet use meant that all possible addresses were used up by January 2011. That has prompted the introduction of a new IP system with more addresses, which is known as IPv6, where each address is much longer and looks something like this: 123a:b716:7291:0da2:912c:0321:0ffe:1da2. The other part of the control system, Transmission Control Protocol (TCP), sorts out how packets of data move back and forth between one computer (in other words, one IP address) and another. It’s TCP that figures out how to get the data from the source to the destination, arranging for it to be broken into packets, transmitted, resent if they get lost, and reassembled into the correct order at the other end.
As we have seen, DNS is a hierarchical system that helps translate the human language into a computer comprehensible one, by taking 5 main steps: request, root server query, Top Level Domain (TLD) Query, Domain’s Name Server Query. A detailed explanation about these steps can be found in Kaleb Fornero’s paper, Is Anyone Out There? Monitoring DNS for Misuse, and a brief one in the image below:
What you must remember, though, is the fact that up to 91.3% of the threats are located at the DNS level, since cybercriminals need to communicate with their malware in order to make a profit. Ergo, DNS is a very important component of your network in terms of cybersecurity and should not be trifled with. You can also find more information about its significance in other articles on our blog – here, here, here.
DNS content filtering refers to the process in which an Internet filter allows or blocks access to a specific website’s content according to its IP address and not to the domain name. Some filters use default operations, others are administrator-controlled. Among the DNS content filtering methods we mention:
Category filters allow administrators to block access according to the nature of the websites’ content (for example racial hatred, pornography etc.)
Keyword filters allow blocking access to certain websites or web applications by specific words found in the websites’ content (here we mention “chat” or “Netflix, for example).
Administrator-controlled Blacklists and Whitelists
Blacklists and Whitelists offer personalized DNS content filtering, since the access to specific websites is entirely determined by the administrator.
How can DNS content filtering benefit your business?
Well…I would start with the obvious: it can help you prevent malware, ransomware and phishing attacks (you remember that part with the 91.3% of the threats being located at DNS level, correct?). Moreover, DNS content filtering can help increase productivity, reduce HR issues and ensure a safer browser experience.
What type of DNS attacks can you expect if you’re not using DNS content filtering?
When it comes to the types of attack your company can become the target of, you should know that there are dozens of possible threats that can get into your organisation in the blink of an eye, anytime and anywhere, causing you to lose money, data, time.
Attackers could try to overload authoritative name servers with queries for unexistent subdomains (111aaa.example.com instead of example.com, for instance), consuming its resources and causing disruption to legitimate queries.
Cache poisoning attacks aim to corrupt the recursive servers, more specifically the answers stored in the cache. If they succeed, any subsequent query will get the corrupted answer.
Phantom Domain attacks also involve authoritative servers and imply asking for non-existent recursive name servers, which wastes the server’s time and fills up the cache with useless answers.
Hackers need to maintain communication in order to make a profit, and one certain way of obtaining it is through DNS. Malware uses DNS to communicate with the command-and-control server, but also to update itself, like the famous WannaCry ransomware.
Hijacking and redirection
In this type of attack, users are sent to a different destination than they intended. Similarly, the target client machine could be infected with malware that would allow all DNS requests to be sent to the DNS server under the attacker’s control.
Data exfiltration / tunnelling
Tunnelling involves encoding messages in DNS queries and answers in order to avoid detection. Tunnelling can be used for legitimate purposes, but also to exfiltrate sensitive data, in which case the ever-changing domain names make it very hard to detect.
Now that you have caught a glimpse of how dangerous DNS attacks can be, you might be asking yourself what you can do to protect your business. Well…you have two options.
1. Use free DNS content filtering for business to achieve a basic level of protection
Dansguardian can run on Linux, FreeBSD, OpenBSD, NetBSD, Mac OS, HP-UX, Solaris and is highly configurable, allowing you to filter ads and block images or files from being downloaded. Different filters can be deployed for different computers according to the domain, user and source IP.
K9, a solution generally used in schools, divides the filtered content into 60+ categories. It is a desktop solution which, after installation, checks all the requests you make against the specified filters.
OpenDNS is a DNS content filtering tool suitable for those who do not have the time or expertise to set up and administer a full-out content-filtering server. It requires you to change the DNS settings at the router level, customizing white lists and black lists sites and the range of filters they provide for you.
Like Dansguard, Squid Gard is a stand-alone DNS content filtering tool that can be connected into a proxy (a go-between a computer and the Internet, used to enhance cyber safety because they prevent attackers from invading a computer/a private network directly). It is a UNIX-environment tool and a very flexible solution, which allows you to make up various combinations of filtering parameters.
Clean Browsing DNS
If you’re also wondering how you can filter adult content through DNS, Clean Browsing would be a pretty good free tool. Its basic security filter blocks malicious content, while the adult filter blocks pornographic and explicit websites.
In the same context, you can try SafeSurfer, a New Zealand service that seems to be supported by voluntary donations. SafeSurfer offers desktop applications for Windows, Mac and Linux, but also mobile applications for Android and iOS.
2. Go Pro with our market-leading solutions
One of the four levels of security the Heimdal™ Security products are built on is prevention. In order to help you achieve unique threat prevention, we propose to you 2 main modules: Forseti and/or Thor Foresight.
Forseti is a powerful Intrusion Prevention System that protects your organisation’s network at perimeter level, preventing, detecting and blocking ATPs, ransomware, data leaks and network malware. It prevents command and control server connections, logs network traffic and checks who is doing what tracks history on threats that were unknown but become known. Forseti also offers you, of course, the possibility to use custom block pages and to allow/block lists.
Increasingly, hackers target organizations at network or DNS traffic level.
FORSETI IS THE ADVANCED INTRUSION PREVENTION SYSTEM THAT ALLOWS
YOU TO PREVENT, DETECT AND RESPOND TO NETWORK-BASED THREATS
- Full DNS protection and full network logging.
- Uses Machine Learning on device to infrastructure communication for a strong HIPS/HIDS and
IOA/IOC add-on to your network.
- An easy way to add network threat prevention, detection and blocking.
Forseti is compiled of two Heimdal Security trademarked engines, DarkLayer Guard™ and VectorN Detection™. DarkLayer Guard™ offers full DNS protection, as well as active and passive modes and full network logging, while VectorN Detection™ uses Neural Network Transformed AI for tracking device-to-infrastructure communication to spot and stop attacks that firewalls cannot see.
Thor Foresight adds to all this the power of the X-Ploit Resilience, our patch management solution for Windows and 3rd party software. Since 85% of malware is deployed through exploit kits, automatically installing updates at only 4 hours after the release or scheduling them according to the PC’s clock and having an in-app software center would make nice touches to your company’s cybersecurity.
Antivirus is no longer enough to keep an organization’s systems secure.
Thor Foresight Enterprise
Is our next gen proactive shield that stops unknown threats
before they reach your system.
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Automatic patches for your software and apps with no interruptions;
- Protection against data leakage, APTs, ransomware and exploits;
With Thor Foresight you would benefit from a solution that closes vulnerabilities, helps you be GDPR compliant and adds unique threat hunting, prevention and detection for stopping ransomware, APTs, financial fraud, data leaks, exploits.
DNS content filtering – Wrapping Up…
If you are still wondering why your business needs DNS content filtering, let me just tell you that, only in 2020,
80% of firms have seen an increase in cyberattacks […]
Cloud based attacks rose 630% between January and April 2020
Phishing attempts rose 600% since the end of February […]
Ransomware attacks rose 148% in March […]
Attacks targeting home workers rose five-fold in six weeks since lockdown […]
Visits to hacker websites and forums rose 66% in March
Average ransomware payment rose 33% to $111,605, compared to Q4 2019 […]
Ransomware is found in 27% of malware incidents – up from 24% in 2019
18% of organizations reported a ransomware attack
41% of customers would stop buying from a business victim of a ransomware attack […]
There is a cyberattack every 39 seconds […]
21% of online users are victims of hacking
11% of online users have been victims of data theft
72% of breaches target large firms.
You need to take cybersecurity seriously and you need to start adopting security measures right now – and a professional DNS content filtering solution is your best chance to protect your business against up to more than 90% of the possible (and very probable) threats.
Whatever you choose, please remember that Heimdal™ Security always has your back and that our team is here to help you protect your home and your company and to create a cybersecurity culture to the benefit of anyone who wants to learn more about it.
Drop a line below if you have any comments, questions or suggestions – we are all ears and can’t wait to hear your opinion!