Search
Home Search Center IP Encyclopedia Online Courses Intelligent Model Selection

What Is DNS Filtering?

DNS filtering implements access control based on domain names in DNS request packets to allow or prohibit users' access to certain websites, regulating users' online behaviors. DNS filtering classifies domain names based on the DNS blacklist/whitelist and DNS category to block access to unauthorized domain names and permit access to authorized domain names.

What Is DNS? Why Do We Need DNS Filtering?

TCP/IP uses IP addresses to connect to devices. However, memorizing the IP addresses of devices is difficult for users. As such, a host naming mechanism is designed to match IP addresses with host names in the string format. The Domain Name System (DNS) provides a translation and query mechanism between IP addresses and host names.

The DNS uses a hierarchical naming method to specify a meaningful name for a device on the network. In addition, a DNS server is required on the network to bind IP addresses to domain names. In doing so, users can use meaningful and easy-to-memorize domain names instead of IP addresses to identify devices.

After a user enters the domain name of a website in the browser, the browser sends a domain name resolution request to the DNS server. The server returns the IP address corresponding to the domain name, and then the user obtains the corresponding website resources based on the IP address.

With the rapid development of Internet applications and the popularity of computer networks in all walks of life, information acquisition, sharing, and dissemination have become more convenient than ever, while at the same time posing the following unprecedented threats to enterprises and human beings:
  • Employee visiting work-irrelevant websites during working hours reduces work efficiency.
  • Employee visiting illegitimate or malicious websites may expose confidential information of an enterprise or even incur threats such as worms, viruses, and Trojan horses.
  • When the intranet is congested, employees may fail to properly access work-related websites (such as the company homepage and search engine website), reducing work efficiency.

This is where the DNS filtering technology comes in. DNS filtering not only prevents employees from accessing work-irrelevant websites, but also is an important cyber security measure. Specifically, tt can block access to malicious websites such as phishing, ransomware, and cryptojacking, preventing serious consequences such as information leakage and property loss.

How Does DNS Filtering Work?

Products (such as firewalls) that support DNS filtering are generally deployed at the border of an enterprise network. When an employee initiates a website access request (DNS request), the DNS filtering function checks whether the domain name in the DNS request is legitimate to determine whether to permit, alert, or block the access request. To be specific, the function:
  • Permits employees' access requests to legitimate websites.
  • Blocks and generates alerts for employees' access requests to illegitimate domain names.
Typical application scenario of DNS filtering
Typical application scenario of DNS filtering

DNS filtering falls into two modes: DNS blacklist-/whitelist-based DNS filtering and DNS category-based DNS filtering. Different DNS filtering modes have different priorities.

DNS Filtering Modes

  • DNS blacklist-/whitelist-based DNS filtering

    The DNS blacklist/whitelist can be considered a special user-defined DNS category, but the control actions for the blacklist and whitelist are fixed and cannot be changed.

    The DNS blacklist/whitelist is typically used to filter websites with simple and fixed domain names. The blacklist is a list of domain names that users are not allowed to access, whereas the whitelist is a list of domain names that users are allowed to access. A device matches the domain names in DNS request packets against the domain names in the blacklist and whitelist. If any whitelist rule is matched, the device permits the request packets; if any blacklist rule is matched, the device blocks the request packets.

  • DNS category-based DNS filtering

    This is the core management and control mode of DNS filtering. Leveraging this mode, the administrator can control the domain names that employees are not allowed to access and those that employees are allowed to access based on DNS categories.

    DNS categories are classified into predefined DNS categories and user-defined DNS categories.
    • Predefined DNS categories: maintain a large number of domain names and categories of mainstream websites. For example, predefined DNS categories are preset on the DNS filtering-capable device for the administrator to invoke. These predefined DNS categories can be dynamically updated through the DNS remote query service. Huawei's remote query server provides more than 500 million domain name categories. If a new domain name is not covered by the remote query server, the remote query server periodically and dynamically invokes the access server to simulate access to the domain name and obtains the web page content for the domain name category. The category information is synchronized to the remote query server.
    • User-defined DNS categories: Although predefined DNS categories have covered a majority of mainstream websites, some new websites may not be covered. Furthermore, enterprises may have their own DNS category policies and want to implement management and control based on the DNS categories defined by themselves. In this case, the administrator can create some user-defined categories as required.

DNS Filtering Procedure

There are multiple DNS filtering modes. The question, what is the procedure of DNS filtering in different modes? Take Huawei firewalls as an example. The procedure of DNS filtering is divided into three phases.
  1. The firewall extracts the domain name of the website accessed by the user from the DNS request packet.
  2. The firewall determines whether the domain name is valid based on the DNS whitelist, DNS blacklist, DNS categories, and remote query results.
  3. The firewall performs the corresponding action based on the domain name matching results, including permit, alert, and block.

The following figure shows the procedure of DNS filtering.

DNS filtering procedure
DNS filtering procedure
  1. The firewall extracts the domain name from the DNS request packet.
  2. The firewall checks whether the domain name matches the DNS whitelist.
    • If yes, the firewall permits the traffic.
    • If no, the firewall proceeds to the next step.
  3. The firewall checks whether the domain name matches the DNS blacklist.
    • If yes, the firewall blocks the traffic.
    • If no, the firewall proceeds to the next step.
  4. The firewall checks whether the domain name matches a user-defined DNS category.
    • If yes, the firewall processes the traffic based on the action for this user-defined DNS category.
    • If no, the firewall proceeds to the next step.
  5. The firewall checks whether the domain name matches a predefined DNS category.
    • If yes, the firewall processes the traffic based on the action for this predefined DNS category.
    • If no, the firewall performs remote query.
      • If the remote query server is available, the firewall continues with the remote query.
      • If the remote query server is unavailable, the firewall processes the request based on the default action.
  6. Start remote query.
    1. If the remote query server does not respond within a specific period, the firewall will take the action configured for query timeout.
    2. If the remote query server determines that the domain name matches a predefined DNS category, the firewall processes the request based on the control action for this category.

    If this domain name does not belong to any category, the firewall processes the request based on the action for the "Other" category.

How Can We Use DNS Filtering?

The DNS filtering function of Huawei firewalls is easy to configure. All DNS filtering-related configurations are carried in the DNS filtering profile. You can configure the DNS blacklist/whitelist, DNS categories, and categories' control actions in a DNS filtering profile, and reference the DNS filtering profile in a security policy to filter specific domain names.

Configuration logic of DNS filtering
Configuration logic of DNS filtering

What Is the Difference Between DNS Filtering and URL Filtering?

Both DNS filtering and URL filtering belong to web filtering, but their control granularities and implementation modes are different.

Table 1-1 Comparison between DNS filtering and URL filtering

Comparison Item

DNS Filtering

URL Filtering

Access control phase

Performs control in the domain name resolution phase.

Performs control when an HTTP/HTTPS URL request is initiated.

Control granularity

Coarse control granularity. Control can be performed only at the domain name level.

Fine control granularity. Control can be performed at the directory and file levels.

Impact on performance

Little

Great

Control scope

Controls all services corresponding to the domain name.

Controls only HTTP/HTTPS access.

To sum up, DNS filtering is implemented for access control at an earlier stage than URL filtering and can effectively reduce the traffic volume of HTTP packets on the entire network. In contrast, URL filtering can control users' access to network resources in a more refined manner.

In What Scenario Does DNS Filtering Not Take Effect?

Although DNS filtering is an effective way to protect network DNS security, it is not absolutely reliable. In the following scenarios, the DNS filtering function alone cannot achieve the expected filtering effect:
  • For encrypted DNS traffic, such as DNS-over-TLS (DOT), DNS-over-HTTPS (DOH), DNS-over-QUIC (DOQ), and DNS-over-HTTP3, the DNS filtering function is not available.

    In this case, you need to configure a security policy to block encrypted DNS traffic (customize services and then reference these services in the security policy) to force the user browser to automatically use the non-encrypted DNS. Typical encrypted DNS traffic types and corresponding service ports are as follows:

    DNS over TLS: TCP 853

    DNS over HTTPS: TCP 443

    DNS over QUICK: UDP 443

    DNS over HTTP3: UDP 853

  • The DNS filtering function does not take effect when a virtual private network (VPN) or proxy server is used for Internet access or when a user modifies the DNS configuration of a host.

To cope with network security problems caused by DNS filtering failures, enterprises must continuously improve network security protection measures, such as deploying anti-DDoS, web application protection, and dedicated DNS servers, to minimize network security risks brought by continuously updated and recursed network threats.

Share link to