What is DNS filtering? | Secure DNS servers
DNS filtering blocks malicious or forbidden websites and applications at the DNS level so that they cannot be loaded on user devices.
Learning Objectives
After reading this article you will be able to:
- Understand how DNS works
- Learn where DNS filtering fits into the DNS process
- Explore the types of attacks that DNS filtering services can block
Related Content
Want to keep learning?
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
What is DNS filtering?
DNS filtering is the process of using the Domain Name System to block malicious websites and filter out harmful or inappropriate content. This ensures that company data remains secure and allows companies to have control over what their employees can access on company-managed networks. DNS filtering is often part of a larger access control strategy.
What is the Domain Name System (DNS)?
The Domain Name System, or DNS, matches domain names, like cloudflare.com, to IP addresses, like 192.0.2.24. DNS is necessary in order to allow users to access websites without memorizing confusing lists of numbers – just as a person is able to store their friends' phone numbers in their smartphone contacts list instead of memorizing every individual phone number.
Anytime a user opens up a website or accesses a web application, the process of loading the content only starts after the user's device has looked up the correct IP address. These are the steps of discovering an IP address so that a website can load:
- Once the user types a domain name into their browser, the user's device creates a DNS query and sends it to a specialized web server called a DNS resolver.
- The DNS resolver matches the queried domain name to an IP address either by querying additional DNS servers or by checking its cache.
- The DNS resolver sends a reply to the user's device with the correct IP address – this is called "resolving" the domain.
- The user's device contacts the server at that IP address to open a connection and begin loading the content.
DNS is an essential part of accessing web content – no content can load before the DNS process occurs. This makes DNS filtering an effective way to exert control over what content users can access.
How do DNS filtering services work?
All DNS queries go to a DNS resolver. Specially configured DNS resolvers can also act as filters by refusing to resolve queries for certain domains that are tracked in a blocklist, thus blocking users from reaching those domains. DNS filtering services can also use an allowlist instead of a blocklist (more below).
Suppose a company employee receives a phishing email and is tricked into clicking a link that leads to malicious-website.com. Before the employee's computer loads the website, it first sends a query to the company's DNS resolving service, which uses DNS filtering. If that malicious site is on that company’s blocklist, the DNS resolver will block the request, preventing malicious-website.com from loading and thwarting the phishing attack.
DNS filtering can blocklist web properties either by domain name or by IP address:
By domain: The DNS resolver does not resolve, or look up, the IP addresses for certain domains at all.
By IP address: The DNS resolver attempts to resolve all domains, but if the IP address is on the blocklist, the resolver will not send it back to the requesting device.
What is a blocklist?
In the context of DNS filtering, a blocklist is a list of known harmful domains or IP addresses. DNS filtering vendors may rely upon blocklists that are shared within the cyber security community, generate their own blocklists, or do both. Some DNS filters will even evaluate webpages and add them to a blocklist automatically. For instance, if malicious JavaScript code is observed to run on example.com, example.com will be added to the blocklist.
DNS filtering may also blocklist domains that are not necessarily used for malware or phishing attacks, but that host forbidden or inappropriate content. For instance, a company may wish to add websites that host adult content to their DNS filtering blocklist.
The reverse of a blocklist, an allowlist is a list of allowed domains or IP addresses. All domains or IP addresses that are not on the allowlist are blocked.
How does DNS filtering help block malware and phishing attacks?
DNS filtering can help keep malware, or malicious software, out of company networks and off of user devices. It can also help block some kinds of phishing attacks.
1. Blocking malicious websites
A website that hosts malware can either attempt to trick users into downloading a malicious program, or execute a drive-by download: a download of a malicious piece of software that is automatically triggered when the webpage loads. A number of other attacks are possible as well. For instance, webpages run JavaScript code, and as a full programming language, JavaScript can be used in a range of ways to compromise user devices.
DNS filtering can prevent these kinds of attacks by blocking users from loading malicious webpages at all.
2. Blocking phishing websites
A phishing website is a fake website that is set up to steal login credentials in phishing attacks. The domain used could be a spoofed domain or just an official-looking domain that most users will not think to question. Regardless of the method, the goal is to fool the user into giving their account credentials to an attacker. These websites can be blocked using DNS filtering.
These capabilities are dependent upon the DNS filtering system knowing to identify the malicious IP addresses or domains as bad. While DNS filtering can block this malicious activity, attackers generate new domains very quickly and it is not possible to blocklist all of them.
How does DNS filtering block prohibited content?
The process for restricting access to certain kinds of content is similar to the process described above; IP addresses or domain names that are known to host prohibited content are blocklisted, and users cannot access them. Alternatively, company-approved websites can be added to an allowlist, with DNS filtering blocking all other websites.
What are secure DNS servers?
A secure DNS server is a DNS resolver that blocks malicious or prohibited websites as part of a DNS filtering service. Some secure DNS servers also offer increased privacy to protect user data; Cloudflare, for example, offers a DNS resolving service called 1.1.1.1 that purges all DNS query logs after 24 hours.
Along with DNS filtering, there are additional ways of making the DNS process more secure, since DNS was not designed with security in mind. The DNSSEC protocol helps verify that DNS resolvers provide accurate information and have not been compromised by an attacker. The DNS over TLS (DoT) and DNS over HTTPS (DoH) protocols encrypt DNS queries and responses so that attackers cannot stalk a user's DNS queries and track the websites they visit.
What is the difference between DNS filtering and web filtering?
Web filtering is a broad term that can refer to a number of methods for controlling web traffic. DNS filtering is one type of web filtering. Other kinds of web filtering include URL filtering, keyword filtering, and content filtering.
Does Cloudflare offer DNS filtering in addition to other DNS services?
Cloudflare offers an authoritative DNS service, a public DNS resolver, and, for companies that want to restrict what employees access on the Internet, DNS filtering capabilities. Cloudflare Gateway is a secure web gateway that includes DNS filtering, along with browser isolation and other technologies that keep internal users secure. Learn more about Cloudflare Gateway, or how secure web gateways work.