DNS blocking is one of the most effective ways of preventing Internet users from visiting malicious websites or accessing inappropriate online content. To best understand how DNS blocking works, it can be beneficial to know a little about DNS, how you can use DNS for blocking websites, and the different ways in which a DNS block can be applied.
What is the Domain Name System (DNS)?
The easiest way to explain the Domain Name System is to liken it to a telephone directory for the Internet. This is because everything that connects to the Internet – i.e., workstations, tablets, smartphones, websites, servers, etc. – is assigned a numeric Internet Protocol (IP) address.
IP addresses can be long and complicated and difficult to remember, and although it is possible to visit some websites by entering their IP address, it is a lot easier to enter a URL such as (for example) bankofamerica.com into a browser address bar than BOA´s IP address – 18.104.22.168.
When you enter the URL, the Domain Name System sends a query to multiple DNS servers requesting the website´s IP address. As soon as it receives the IP address, the Domain Name System tells your browser what it is so the browser can send a request to retrieve the website´s content.
Because the Domain Name System consists of a hierarchy of root servers, top-level domain servers, and hosting servers, IP address lookups typically take milliseconds; and, in most cases, users are oblivious to the technology going on behind the scenes when they browse the Internet.
Book Free Demo
How You Can Use DNS for Blocking Websites
Most Internet filters work in a similar way by categorizing websites into groups. Some groups of websites are blocked by default if they are known to harbor malware, have been identified as phishing sites, or are generally considered to be unsafe because of exploitable vulnerabilities.
You can select to block additional groups of websites to prevent users accessing inappropriate online content (i.e., websites that promote pornography, gambling, or illegal drugs), or create your own customized groups by selecting websites to block by name (URL) or IP address.
Blocking DNS traffic by IP address enables you to prevent users accessing online content by blocking the website´s DNS servers rather than the website name. For example, Facebook uses multiple domains to deliver content (i.e., fb.com, fbcdn.net, fbsbx.com, etc.). If you wanted to prevent users accessing all Facebook domains, it is more effective to block DNS traffic by IP address.
In addition to using DNS for blocking sites, many Internet filters also allow you to create whitelists that will enable users to access websites included in blocked categories. For example, if you were to block the online shopping category, you could create exceptions for online retailers used by your company (i.e., stationary suppliers, water deliveries, maintenance equipment, etc.).
The Different Ways in Which a DNS Block Can be Applied
Advanced Internet filters that block DNS traffic by URL and IP address offer greater flexibility in how DNS blocks can be applied inasmuch as the filters can be configured to block or allow access to certain websites (or category of website) by individual, group, time, or another attribute. This greater flexibility can be advantageous in multiple use cases – for example:
- Businesses can apply a DNS block to social media sites which excludes marketing personnel and create an exception for lunch breaks.
- Retail businesses can prevent customers visiting competitors´ websites from their Wi-Fi service in order to compare prices.
- Hotels can implement a watershed for adult content in order to create a family-friendly environment during the day.
- School districts can apply age-appropriate policies that control access to online content by grade or by subject.
- All organizations can apply a DNS block by bandwidth to prevent some users streaming videos and choking Wi-Fi services for other users.
As mentioned above, whitelists can be created to avoid scenarios in which access to business-critical websites is blocked. Alternatively, Internet filters such as WebTitan Cloud include “cloud keys” which allow system administrators to temporarily lift restrictions rather than having to manually add websites to a whitelist and then manually remove them to re-impose restrictions.
Book Free Demo
More about DNS Blocking with WebTitan Cloud
WebTitan Cloud is a DNS-based Internet filter that can easily be configured to control access to online content via a series of category filters, keyword filters, and granular policies. The DNS blocking filter works across all wired and Wi-Fi networks; and because it is a cloud-based solution, requires no on-premises hardware or software installations.
WebTitan Cloud is used by organizations of all sizes, MSPs and ISPs to prevent users accessing malicious, illegal, and other prohibited web content – mitigating the risk of cyberthreats such as malware, ransomware, and phishing. WebTitan Cloud can also be used to prevent cyberslacking by restricting access to productivity sinks such as social media and online shopping websites.
If you are an organization, MSP, or ISP that wants to exercise control over Internet access, give our team a call today. Our sales technicians will be happy to explain how WebTitan Cloud works and the best way to implement the solution in your organization. You can also take advantage of a free trial to evaluate the full solution in your own environment.
DNS Blocking FAQs
Do I need to have a DNS filter?
A DNS filter is an important cybersecurity solution that protects against web-based attacks and blocks access to phishing websites and malware and ransomware downloads. Without a DNS filter, you are likely to be reliant on your antivirus software for detecting malware and the ability of your employees to identify and avoid threats on the Internet. A DNS filter therefore greatly improves security.
What are the advantages of DNS filtering over other types of web filter?
A DNS filter filters out web content and gives you control over the sites and content your employees can access. These are features of all web filtering solutions, but with DNS filtering malicious content will be blocked before it is downloaded, there is no need for any software downloads, and you will not need to purchase an appliance.
Does DNS filtering have an impact on speed?
A DNS filter works at the DNS lookup stage of a web request before content is downloaded and filtering controls are applied in a fraction of a second. There is also no need to backhaul traffic to apply controls for roaming users. Most web filters will involve some latency, but DNS filtering will not have any noticeable impact on speed.
Who much does a DNS filtering solution cost?
The starting price for a powerful DNS filtering solution is around $1 per user per month, although the cost can be as high as $3 per user per month or more with some solution providers. WebTitan Cloud is at the low end of the price spectrum and gives SMBs the protection and control they need. The cost is also much lower than dealing with the phishing and malware attacks that a DNS filter will block.
Do I need a DNS filter with SSL inspection?
SSL-encrypted internet communications are invisible to many web filters. If you do not have full SSL inspection, traffic cannot be inspected, evaluated, and blocked. Since most Internet traffic is now SSL encrypted, including malicious websites, SSL inspection is now critical for security.
What does it mean if I get the message the network is blocking encrypted DNS traffic?
The message that the network is blocking encrypted DNS traffic is an issue that has affected some iPhone users since Apple started supporting encrypted DNS in iOS 14. If you get this message, it is likely you are trying to connect to a network via a router that doesn´t support encrypted DNS rather than your ISP is blocking IP address look-ups for encrypted sites. Depending on your router and ISP there are several fixes for this issue, and we recommend you contact your ISP for device-specific help.
How does a DNS blocking service such as WebTitan Cloud prevent users circumnavigating filtering policies by using anonymizer sites?
One of the preconfigured DNS blocking categories on the WebTitan Cloud filter is “anonymizer sites”. By selecting this category, system administrators can prevent users visiting web pages that promote proxies and anonymizers such as the Tor Browser. Alternatively, system administrators can block access to the “search engines” category of website and whitelist a single search engine for use on the corporate network.
How many preconfigured DNS blocking categories does WebTitan Cloud have?
There are 53 preconfigured categories from which to select, plus system administrators can also create customized categories if required. WebTitan Cloud also supports blacklists and whitelists. So, if a system administrator wants to block just one website in an unblocked category – or allow access to one website in a blocked category – WebTitan Cloud can be easily configured to meet the requirements of the organization.
What other options does WebTitan Cloud offer to block DNS traffic?
In addition to preconfigured categories, customizable categories, and blacklists, WebTitan Cloud also supports keyword filtering. Access to websites can be blocked if they contain a specific keyword, or if a keyword reaches an administrator-defined threshold. However, this option for DNS blocking is best used sparingly as it could (for example) prevent students from accessing educational material or hotel customers from accessing valuable tourist information.