Our blog

An inside job: how DNS firewalls protect your network


02 March 2017

Tim Rooney

Blogs by author: Tim Rooney, Diamond IP Product Management Director, BT.


Internet firewalls work as a perimeter fence to keep your network safe. But a Domain Name System (DNS) firewall goes one step further — combating internal threats, too.

The gatekeeper: firewalls

When you think of an internet firewall, you likely think of a gatekeeper — examining IP packets as they try to flow through it and then blocking or redirecting these based on certain criteria. These criteria may include filtering parameters such as IP addresses or ports, and when a packet’s flagged up, it’s blocked or dealt with according to policy settings. A DNS firewall’s the same, only for DNS queries — preventing some of these (and subsequent data traffic) from passing through.

An inside job: what firewalls block

Another common assumption associated with internet firewalls is that they’re deployed on the perimeter of a network to keep out external attacks. DNS firewalls, however, protect against attacks from inside the network.

But why worry about internal attacks if morale is sky-high and IP firewalls are seemingly impervious?

With the proliferation of smart phones and ‘bring your own device’ (BYOD) initiatives, devices are leaving the domain of a perfectly firewalled network more often. And this means more opportunity for them to become infected with malware when operated on less secure networks, such as the coffee shop wi-fi or at home.

What happens if your network fails to block a bot

Certain forms of malware infiltrate a device as a remote agent or ‘bot’, which then teams up with several other infected devices to form a ‘botnet’ — where an attacker can command several bots to perform attacks such as distributed denial of service attacks.

A bot on an infected device will typically attempt to contact the attacker’s command and control (C&C) centre to receive its marching orders, and the means of contacting the C&C starts with a DNS lookup. The primary goal of a DNS firewall is to identify such C&C contact attempts, to block them and to identify the infected device.

How a DNS firewall frees your network

Diamond IP support the establishment of DNS firewall policies with its Sapphire DNS appliances. A DNS administrator defines DNS firewall policies in standard DNS resource record format so DNS queries can be filtered and threats identified.

It can filter triggers based on the source of the DNS query, i.e., the client IP address, and based on parameters specified within the DNS query such as the queried name or the resolved IP address. Additional policies may be defined based on from whom the answer arrives, including the resolving name server IP address and domain name.

So for every query, the recursive DNS server filters at multiple points along the way — then takes the required policy action. For example, this could be responding with ”not found”, ”no answer”, pass through, or even inclusion of predefined response data — such as directing the session to a walled garden where the user’s access to Web content and services is controlled. And logging of devices triggering DNS firewall policies is instrumental in identifying potential malware-infected devices for remediation.

Other benefits of DNS firewalls

The beauty of this technique is that, in defining policies as resource records within a zone, DNS administrators can create their own policies, and/or subscribe to a provider of malicious domain (filtering) information. And this can zone-transfer such domain information to the corresponding recursive DNS servers.

But it’s important to remember that updates of this zone information should be secured via the use of standard DNS access control lists, as well as transaction signatures, to sign incremental or full zone updates.

With Diamond IP, you get management products that support the configuration of DNS firewalls via the web-user interface. We are introducing a DNS firewall subscription service for your convenience and also partner with providers of ‘bad domain’ information, configuring these to our system. And customers are free to implement their own policies.

Have a read of our webpage to find out more about how to keep your network secure.