Technical Support Go To Carrier
Help Center
  • 中文
  • English
Home Search Center IP Encyclopedia Online Courses
Search
Home Search Center IP Encyclopedia Online Courses
Login
IP Encyclopedia > DNS Filtering

What Is DNS Filtering?

DNS filtering implements access control based on domain names in DNS request packets to allow or prohibit users' access to certain websites, regulating users' online behaviors. DNS filtering classifies domain names based on the DNS blacklist/whitelist and DNS category to block access to unauthorized domain names and permit access to authorized domain names.

Contents

What Is DNS? Why Do We Need DNS Filtering?

TCP/IP offers the function of connecting to devices via IP addresses. However, it is not possible for users to memorize the IP addresses of all devices. As such, a host naming mechanism is designed to match IP addresses with host names in the string format. The Domain Name System (DNS) provides a translation and query mechanism between IP addresses and host names.

The DNS uses a hierarchical naming method to specify a meaningful name for a device on the network. In addition, the network must have a DNS server to bind IP addresses to domain names. In this way, users can identify devices using meaningful and easy-to-remember domain names instead of IP addresses.

After a user enters the domain name of a website in the browser, the browser sends a domain name resolution request to the DNS server. The server returns the corresponding IP address, which the browser then uses to provide the user with the corresponding website resources.

With the rapid development of Internet applications and the popularity of computer networks in all walks of life, information acquisition, sharing, and dissemination have become more convenient than ever. But at the same time, they also pose the following unprecedented threats to enterprises and individuals:
  • Employees visiting websites unrelated to work during working hours reduces work efficiency.
  • Employees visiting unregulated or malicious websites may expose confidential information of an enterprise or even pose threats such as worms, viruses, and Trojan horses.
  • When the intranet is congested, employees may fail to properly access work-related websites (such as the company homepage and search engine website), reducing work efficiency.

This is where the DNS filtering technology comes in. DNS filtering not only prevents employees from accessing websites unrelated to work, but also is an important cyber security measure. Specifically, it can block access to malicious websites that pose the risk of phishing, ransomware, and cryptojacking, preventing serious consequences such as information leakage and property loss.

How Does DNS Filtering Work?

Products (such as firewalls) that support DNS filtering are generally deployed at the border of an enterprise network. When an employee initiates a website access request (DNS request), the DNS filtering-enabled device checks whether the domain name in the DNS request is legitimate to determine whether to permit the access request, or block and generate an alert for the access request. To be specific, the DNS filtering-enabled device:
  • Permits employees' access requests to allowed websites.
  • Blocks and generates alerts for employees' access requests to unallowed domain names.
Typical application scenario of DNS filtering
Typical application scenario of DNS filtering

DNS filtering falls into two modes: DNS blacklist-/whitelist-based DNS filtering and DNS category-based DNS filtering. Different DNS filtering modes have different priorities.

DNS Filtering Modes

  • DNS blacklist-/whitelist-based DNS filtering

    The DNS blacklist/whitelist can be considered a special user-defined DNS category, but the control actions for the blacklist and whitelist are fixed and cannot be changed.

    The DNS blacklist/whitelist is typically used to filter websites with simple and fixed domain names. The blacklist is a list of domain names that users are not allowed to access, whereas the whitelist is a list of domain names that users are allowed to access. A device matches the domain names in DNS request packets against the domain names in the blacklist and whitelist. If any whitelist rule is matched, the device permits the request packets; if any blacklist rule is matched, the device blocks the request packets.

  • DNS category-based DNS filtering

    This is the core management and control mode of DNS filtering. In this mode, the administrator can control the domain names that employees are and are not allowed to access based on DNS categories.

    DNS categories are classified into predefined DNS categories and user-defined DNS categories.
    • Predefined DNS categories: maintain a large number of domain names and categories of mainstream websites. For example, predefined DNS categories are preset on the DNS filtering-capable device for the administrator to invoke. These predefined DNS categories can be dynamically updated through the DNS remote query service. Huawei's remote query server provides more than 500 million domain name categories. If a new domain name is not covered by the remote query server, the remote query server periodically and dynamically invokes the access server to simulate access to the domain name, and then obtains the web page content for the domain name category. The category information is synchronized to the remote query server.
    • User-defined DNS categories: Although predefined DNS categories cover the majority of mainstream websites, some new websites may not be covered. Furthermore, enterprises may have their own DNS category policies and want to implement management and control based on these DNS categories. In this case, the administrator can create some user-defined categories as required.

DNS Filtering Procedure

There are multiple DNS filtering modes. The question, what is the procedure of DNS filtering in different modes? Taking a Huawei firewall as an example, the procedure of DNS filtering is divided into three phases.
  1. The firewall extracts the domain name of a website accessed by a user from the DNS request packet.
  2. The firewall determines whether the domain name is valid based on the DNS whitelist, DNS blacklist, DNS categories, and remote query results.
  3. The firewall performs the corresponding action (permit, alert, or block) based on the domain name matching result.

The following figure shows the procedure of DNS filtering.

Flowchart of DNS filtering on a firewall
Flowchart of DNS filtering on a firewall
  1. The firewall extracts the domain name from the DNS request packet.
  2. The firewall checks whether the domain name matches the DNS whitelist.
    • If so, the firewall permits the traffic.
    • If not, the firewall proceeds to the next step.
  3. The firewall checks whether the domain name matches the DNS blacklist.
    • If so, the firewall blocks the traffic.
    • If not, the firewall proceeds to the next step.
  4. The firewall checks whether the domain name matches a user-defined DNS category.
    • If so, the firewall processes the traffic based on the action for this user-defined DNS category.
    • If not, the firewall proceeds to the next step.
  5. The firewall checks whether the domain name matches a predefined DNS category.
    • If so, the firewall processes the traffic based on the action for this predefined DNS category.
    • If not, the firewall performs remote query.
      • If the remote query server is available, the firewall continues with the remote query.
      • If the remote query server is unavailable, the firewall processes the request based on the default action.
  6. Start remote query.
    1. If the remote query server does not respond within a specific period, the firewall will take the action configured for query timeout.
    2. If the remote query server determines that the domain name matches a predefined DNS category, the firewall processes the request based on the control action for this category.

    If this domain name does not match any category, the firewall processes the request based on the action for the "Other" category.

How Can We Use DNS Filtering?

The DNS filtering function of Huawei firewalls is easy to configure. All DNS filtering-related configurations are carried in a DNS filtering profile. You can configure the DNS blacklist/whitelist, DNS categories, and categories' control actions in a DNS filtering profile, and reference the DNS filtering profile in a security policy to filter specific domain names.

Configuration logic of DNS filtering
Configuration logic of DNS filtering

What Are the Differences Between DNS Filtering and URL Filtering?

Both DNS filtering and URL filtering are types of web filtering, but their control granularities and implementation modes are different.

Table 1-1 Comparison between DNS filtering and URL filtering

Comparison Item

DNS Filtering

URL Filtering

Access control phase

Performs control in the domain name resolution phase.

Performs control when an HTTP/HTTPS URL request is initiated.

Control granularity

Coarse control granularity. Control can be performed only at the domain name level.

Fine control granularity. Control can be performed at the directory and file levels.

Impact on performance

Little

Great

Control scope

Controls all services corresponding to the domain name.

Controls only HTTP/HTTPS access.

To sum up, DNS filtering is implemented for access control at an earlier stage than URL filtering and can effectively reduce the traffic volume of HTTP packets on the entire network. In contrast, URL filtering can control user access to network resources in a more refined manner.

What Scenarios Are Not Suitable for DNS Filtering?

Although DNS filtering is an effective way to protect network DNS security, it is not entirely reliable. In the following scenarios, the DNS filtering function alone cannot achieve the expected filtering results:
  • For encrypted DNS traffic, such as DNS-over-TLS (DOT), DNS-over-HTTPS (DOH), DNS-over-QUIC (DOQ), and DNS-over-HTTP3, the DNS filtering function is not available.

    In this case, you need to configure a security policy to block encrypted DNS traffic (specifically, by customizing services and then referencing these services in the security policy) to force the user browser to automatically use the non-encrypted DNS. Typical encrypted DNS traffic types and corresponding service ports are as follows:

    DNS over TLS: TCP 853

    DNS over HTTPS: TCP 443

    DNS over QUICK: UDP 443

    DNS over HTTP3: UDP 853

  • The DNS filtering function does not take effect when a virtual private network (VPN) or proxy server is used for Internet access or when a user modifies the DNS configuration of a host.

To overcome the network security problems caused by DNS filtering failures, enterprises need to continuously improve network security protection measures, such as deploying anti-DDoS, web application firewall, and dedicated DNS servers. In this way, they can minimize network security risks brought by constantly evolving network threats.

References
1Guide to Deploying Web Filtering on Huawei Firewalls
2DNS Filtering Configuration Guide (USG6000E Series Firewalls)
3DNS Filtering Configuration Guide (USG6000F Series Firewalls)
Related Topics
About This Topic
  • Author: Xi Youyuan
  • Updated on: 2025-07-07
  • Views: 3624
  • Average rating:
Share link to

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.