NordVPN Promotion

Home / Blogs

Multi-Layer Security Architecture - Importance of DNS Firewalls

In today’s world with botnets, viruses and other nefarious applications that use DNS to further their harmful activities, outbound DNS security has been largely overlooked. As a part of multi-layer security architecture, a DNS Firewall should not be ignored.

After serving as a consultant for multiple organizations, I have encountered many companies that allow all internal devices to send outbound DNS queries to external DNS servers—a practice that can lead to myriad problems, including cache poisoning and misdirection to rogue IP addresses. For companies that want to enable internal devices to send these types of queries, having the ability to manually or automatically blacklist domains is a very effective way to add a layer of security to a broader security architecture.

DNS & Blacklisting

Companies of all sizes are susceptible to DNS attacks. Depending on the type of external recursive DNS server that is running, there are a number of ways to tighten your outbound DNS recursive service, from manual domain blocking to fully automated updates as threats appear.

I recently worked with a company that was infected by a virus that got ahead of the anti-virus software for a short period of time. The security team knew that approximately 100-150 domains were actively being resolved to aid in the spread of the virus and payload. We resolved the issue by manually blacklisting the affected domains.

Infoblox has created a very compelling solution that allows users to update their blacklist as threats emerge. While we were able to successfully help mitigate the threat with manual updates, the Infoblox solution would have enabled us to be even more proactive.

If your company is small and runs a DNS server in house, using something tried and true, such as BIND can benefit you from this type of added security. Depending on where you prefer to source your list of blacklisted domains, these can be loaded to the external recursive server—causing a DNS firewall effect. The server will need to be updated regularly, removing domains that no longer need to be blacklisted and adding new domains on an as-needed basis.

Ensuring that the DNS firewall architecture is as effective as possible will require reviewing your firewall rules. For example, I recommend restricting outbound port 53, Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP) ,to allow only recursive server IP addresses access to the Internet on port 53 UDP/TCP. This rule would need to allow access to ANY IP address on the Internet, as these servers will have to walk the DNS tree and resolve DNS from servers worldwide.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Jesse Dunagan, Senior Professional Services Engineer at Neustar

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byRadix

NordVPN Promotion