Subnet Mask Cheat SheetRecords Cheat SheetGeoDNS ExplainedFree Network TroubleshooterKnowledge BasePricing CalculatorLive CDN PerformanceVideo Demos
BlogsNewsPress ReleasesIT NewsTutorials
Give us your email and we'll send you the good stuff.
Heather Oliver is a Technical Writer for Constellix and DNS Made Easy, subsidiaries of Tiggee LLC. She’s fascinated by technology and loves adding a little spark to complex topics. Want to connect? Find her on LinkedIn.
Everyone knows that a firewall is for blocking access to network resources—or at least you should. It’s such an important part of keeping computers safe that most modern operating systems come with this technology out of the box. But there’s a different kind of firewall that falls on the server-side of things—the DNS firewall. In this resource, you’ll learn all about this layer of protection and how it functions.
Tip: Want to learn more about recursive and authoritative DNS? Check out our blog: Authoritative and Recursive DNS: What’s the Difference?
Just as a computer firewall monitors incoming and outgoing web traffic for personal devices and blocks unsafe connections, a DNS firewall functions the same way. The difference is that DNS firewalls analyze and filter queries based on threat feeds and threat intelligence. There are two types of DNS Firewalls, those for recursive servers and those for authoritative servers. Recursive firewalls protect users, while firewalls applied to authoritative nameservers protect the business or actual domain.
When a query is made from a user’s device, the DNS resolver verifies the safety of the request against a threat feed. If the query is for a site listed in the feed, it will be blocked and the user will be unable to gain access. If no security threat is detected, the query resolves as usual and the user will be taken to their intended destination.
When a device uses a recursive nameserver that has enabled DNS firewall protection, each DNS query is analyzed before the proper IP is returned to the client/device.
When a DNS firewall is applied to an authoritative DNS server, it is done by creating rules based on certain criteria. For example, a company that doesn’t want to receive traffic from a specific region or country can set up a filter that prevents devices that match the criteria from accessing its network or server. This protects the domain from malicious or unwanted web activity.
Authoritative DNS firewalls are most often used to protect a domain from specific countries and/or networks (ASNs).
Did you know?: Constellix allows you to create your own DNS firewalls by using GeoIP filtering. With this feature, you can create custom business rules that sit in front of your DNS and block or filter traffic by location (down to the city level), IP address, and Autonomous System Network (ASN) number.
Because DNS servers weren’t specifically designed to work in a firewall environment, special server configurations are required to run firewalls properly. One such method is using BIND, which is an open source program that functions as a recursive and authoritative server. This configuration necessitates the need for advanced understanding of both BIND and DNS, as well as firewalls and their capabilities. Because DNS firewalls were not originally intended to be part of the DNS protocol, there are special configurations that are often necessary in order for them to accomplish the desired action of the system/security administrator.
Much like a computer firewall, DNS firewalls block malicious or suspicious sites but at the DNS level. The types of sites that are found in threat feeds are:
Businesses of any size can benefit from the additional layer of security a recursive DNS firewall provides, but it is most often used in enterprise-level organizations and educational institutions. This is especially useful when large volumes of employees are accessing a company network. DNS firewalls not only protect from intentional connections to harmful sites, but prevents unwitting access to malicious sites and applications as well.
Enterprises, small businesses, and other domain owners can also protect their network from bad actors and suspicious or unwanted traffic by creating a firewall for their authoritative nameservers via GeoDNS solutions.
The world is becoming more digitized by the second. New technologies are constantly being developed and more work is being done online than ever before. With the increase in user activity also comes an increase in cybercrime. Additional layers of security are becoming a necessity for businesses that rely on a web presence.
If you found this useful, why not share it? If there’s a topic you’d like to know more about, reach out and let me know. I’d love to hear your thoughts!
Liked this? You might find these helpful:
Sign up for news and offers from Constellix and DNS Made Easy