Learn How Domain Name System Firewalls Work

Learning Objectives

After completing this unit, you’ll be able to:

Describe how a Domain Name System (DNS) firewall protects users and networks.
List threat actions potentially mitigated by a DNS firewall.
Identify the advantages of a DNS firewall.

What Is a Domain Name System Firewall?

Protective Domain Name System (DNS)—also known as a DNS firewall—is a DNS service that processes a request as normal, but also prevents the domain translation from occurring for any domains that are deemed to be malicious. Not only do we find that DNS firewalls are an effective security control but also that the availability of open or free DNS firewalls make the solution very cost effective.

Security protections within DNS improve the effectiveness of your organization’s cybersecurity strategies. Over the past few years, DNS attacks have emerged as one of the most common and dangerous cybersecurity threats businesses face. DNS firewalls can help mitigate incidents resulting from common threat actions such as malware and phishing, potentially preventing significant financial losses for organizations. Let’s take a closer look.

Threat Actions Potentially Mitigated by a DNS Firewall

Malicious software, or malware, is designed to harm or exploit devices or networks in a variety of ways, such as through command and control (C2) infrastructure, by downloading unwanted software, or by exporting data to an unauthorized user. Let’s look at these in a bit more detail.

Command and Control (C2) Infrastructure

As mentioned, a popular method used to distribute and control malware is through C2. C2 occurs when malicious actors use a central server to covertly distribute malware and execute commands to the malicious programs that take over control of a device. Once the malware executes itself on one machine, the C2 server can command it to duplicate and spread to others.

Downloaders

A downloader is a type of malware where a user (or computer) unwittingly downloads malicious web-based content. A user’s web browser is redirected to an infected website, often with little or no use of social engineering techniques.

Exporting Data

Malicious actors can abuse DNS to steal data through data leakage or by injecting malicious code into a network. This is done through DNS tunneling, a difficult-to-detect attack that routes DNS requests to the attacker's server, providing them with a clandestine C2 channel and data exfiltration path.

Social Engineering

Phishing is an attempt to bypass network defenses by delivering malware to an unsuspecting user via social engineering to trick them into giving up sensitive information. Often very difficult for people to identify with untrained eyes, phishing takes on a variety of forms including short message service phishing (smishing), voice phishing (vishing), spear, whaling, and email.

How Does a Domain Name System Firewall Work?

DNS firewalls operate much like other network firewalls to disrupt the flow of information. However, instead of looking strictly at a set of rules based on internet protocol (IP) addresses, DNS firewalls implement threat intelligence and response policy zones (RPZs) to filter harmful content and domains, and educate users attempting to access potentially malicious websites.

Threat Intelligence

A core capability of DNS firewalls is categorizing domain names based on threat intelligence. Using open source, commercial, and other information feeds of known malicious domains, DNS firewalls receive shared knowledge of harmful sites and can protect users from accidentally browsing to them.

Response Policy Zones (RPZ)

RPZs compare your organization’s DNS resolutions (translation of IP addresses to hostnames) against your RPZ configuration files, where you’re able to organize domains and IP addresses into policies and manage how they’re handled. The advantage of using RPZs is that you can configure and fine-tune DNS handling to your organization’s specific needs.

Some common RPZ configuration setups include:

Allowlist domains: Permit users to access certain IPs and resources that you know are secure and need to be “always on” in order for business to function normally.
Block known malicious sources: Use threat intelligence and other information sharing feeds to block users from accessing a list of known malicious IPs.
Redirect infected users to a walled garden: Quarantine-infected users from the rest of the network. In some cases, a user may not know their machine is infected. However, their computer may begin making DNS requests to a malicious source. With RPZs, your organization can redirect that activity and inform users of the infection so that the malware can be removed.

Let’s look at an example of what happens without a DNS firewall.

Michelle is a chief information security officer (CISO) at a financial institution performing the following actions.

She clicks a link that takes her to a dangerous website (evil.example.com) and, unbeknownst to her, downloads a malware installer.
The installer connects to another site (bigevil.example.net) that further infects her system with additional malware.
The malware communicates to a C2 (cc.example.org) infrastructure. Once the malware communicates to the C2 infrastructure, the attacker can then use it to exploit the system for malicious purposes.

The three steps that occur without a DNS firewall

How can a DNS firewall prevent this?

With a DNS firewall in place, when Michelle clicks the malicious link (evil.example.com), her browser contacts a DNS server through the DNS firewall and resolves the domain name using translation. Because a DNS firewall is in place this time, all requests are sent through it before any translation is complete. If the DNS firewall is aware that the domain is malicious, it responds with a “not found” message causing the browser to issue a “can’t find that site” error, effectively preventing the initial malware installation.
However, if the DNS firewall is not aware that the domain is malicious and the initial installer succeeds, the malware will likely attempt to connect to one or more domains looking for additional malware to install. The DNS firewall would perform another check to see if it’s aware that those domains are malicious, and responds accordingly.
If the malware is still able to install, then it will most likely attempt to communicate to C2 infrastructure on a third domain, requiring additional name translation. A DNS firewall would interrupt this communication and prevent the malware from receiving instructions or exfiltrating data.

Advantages of Domain Name System Firewalls

Just like Michelle, you’re already realizing that DNS firewalls can significantly improve your organization’s security online. DNS firewalls not only prevent malware from exfiltrating data from your organization but also mitigate cybersecurity threats, are easy to deploy, and can even make it faster for your employees to access the internet. Let’s take a closer look.

Mitigate Cybersecurity Threats

DNS firewalls significantly reduce the effectiveness of ransomware, phishing, botnet, and malware campaigns by blocking known malicious domains. Additionally, organizations can use DNS query logs for incident response and threat hunting activities. DNS firewalls can also categorize domain names based on threat intelligence, identifying domains that are used to exploit and attack.

Ease of Deployment

DNS firewalls, such as Quad9, can be set up in a simple deployment model and are cost effective. What’s more, DNS firewalls can protect both commercial and home networks. This benefit is especially important, as many people have transitioned to remote work during the COVID-19 pandemic.

Increased Speed

Deploying your own DNS firewall may provide a faster network translation than the DNS servers provided by your internet service provider (ISP). Having these secure firewalls also increases the reliability of your network. Because the DNS resolution process is used multiple times during internet browsing, even an incremental improvement can provide substantially greater levels of performance.

Knowledge Check

Ready to review what you’ve learned? The following knowledge check isn’t scored—it’s just an easy way to quiz yourself. To get started, drag the description in the left column next to the matching term on the right. When you finish matching all the items, click Submit to check your work. If you’d like to start over, click Reset.

Sum It Up

You’ve learned what DNS firewalls are and how they work. Now, let’s turn our attention to specific security threats that target DNS and how a DNS firewall can mitigate them.