How Does DNS Filtering Work?
DNS filtering is a technique for controlling access to websites based on the Domain Name System (DNS). Online resources, such as websites, rely on DNS in order to be found.
DNS is a system that converts easy to remember domain names to the IP address of the server that is serving the resource. When you type
rawstream.com in your browser a DNS query will be performed against a DNS server. The DNS server will return the IP address, in this case 220.127.116.11, allowing the browser to connect to the server to retrieve the Rawstream website.
DNS filtering extends the way the DNS system works. When a browser makes a request for a domain, the Rawstream DNS servers can return the IP address of the requested domain. However, if access to the domain is not allowed, then the Rawstream DNS servers return a different IP address, 18.104.22.168. When the browser connects to this IP, a block page is returned informing the user that access to the requested domain is not allowed.
Why Block Access?
There are many reasons why access to a domain is blocked. Domains hosting malware. phishing or malicious content ought to be blocked. Organistions may have acceptable use policies where access to certain categories of websites are blocked, for instance adult content or social media sites. An organisation may block access to filesharing or video streaming websites to control excessive bandwidth use.
DNS filtering is a fast, low-latency technique to control access. Only the DNS requests are sent to the Rawstream DNS servers. Once the Rawstream DNS servers reply to the request the browsers connect directly to the website. There are no extra hops.
Where does DNS filtering fit into the network?
DNS filtering is usually implemented using cloud-based DNS servers. For such implementations, either the network router or WiFi access points are configured to use the Rawstream DNS IPs. Updating the router will enable filtering for all devices on that network.
Updating the DNS settings on a router or access point is a very quick operation taking only a few minutes. This makes cloud-based DNS filtering very simple and quick to deploy. There is no software to install, and no additional hardware is required.
Can DNS filtering be Bypassed?
No security solution is 100% fool-proof but a few simple measures will block attempts at bypassing filtering:
- set the firewall to block all outbound DNS requests (UPD / TCP port 53) except to the Rawstream DNS servers.
- block VPN traffic and access to public web proxy servers
- restrict the ability of employees to install their own software. Allowing employees to install software can leave a major gap in an organisation's security