What Is a DNS Firewall?
A domain name system (DNS) firewall prevents users from going to malicious websites by offering protection against websites that could infect a computer or network with malware. Admins can also use firewall configuration to block sites they don’t want employees to visit.
In these respects, a DNS firewall provides similar protections as a normal firewall, at least when it comes to which websites it allows users to visit.
How Do DNS Firewalls Work?
A DNS firewall works by filtering the traffic that moves along DNS endpoints. This filtration process checks all the traffic using specific rules and policies. If the firewall finds that the traffic violates one of these policies or rules, the web request gets blocked.
A DNS firewall gets updated automatically with the latest DNS threat data, enabling it to protect you against current and past threats.
Suppose you have a DNS firewall to protect your organization’s network. A user gets a phishing email that looks convincing. The apparent sender is asking the user to log in to their bank account to change their username and password because the bank’s security team has supposedly discovered that an attacker has obtained a list of usernames and passwords of the bank’s clientele.
The user clicks on a link in the email that supposedly brings them to their bank’s site. Without a DNS firewall, the user may be able to access the fake site the hacker has built to impersonate their bank’s page. But if this fraudulent site has been registered in the DNS firewall’s system, the user won’t be able to access the site.
This is one of the most significant firewall benefits. While a DNS firewall can’t block all phishing attacks, it can reduce the likelihood of an attacker launching these or other digital assaults.
How Does a DNS Firewall Help Resolve Business Security?
A DNS firewall helps address business security concerns by providing enterprises with intelligence-backed web filtration services. In other words, it uses threat intelligence to prevent users from visiting the kinds of sites that could result in:
- Data exfiltration
- Phishing, spear-phishing, and whale-phishing attacks
- Ransomware attacks
- A range of different malware
Your DNS firewall system can automatically refresh itself with data about new threats on the horizon. As a result, any website-based threat registered in the DNS firewall’s system is effectively neutralized before it even gets a chance to attack.
Challenges
Some challenges arise when implementing a DNS firewall, particularly when it comes to deciding which sites to block. If your DNS firewall configurations are too strict, they may make it impossible for employees to visit sites they need to do their jobs.
For example, some companies may use a DNS firewall to block social media sites. But if a company you're doing business with has a Facebook page, for instance, there may be valuable information on it that your employees could use.
DNS Firewall vs Next-Generation Firewall
There are some significant differences between DNS firewalls and next-generation firewalls (NGFWs), particularly when it comes to how they detect threats and the kinds of threats they identify.
How to Choose Between a DNS Firewall and an NGFW
When deciding which kind of firewall to use, it's important to understand how each one functions.
A DNS firewall focuses on preventing users and systems from accessing malicious websites that can pose a wide range of threats. It compares the DNS data of a request what it already has in its system. If the comparison reveals a match with a potential threat, the user or computer isn’t allowed to access the site.
An NGFW can also block potentially malicious websites. However, one of the primary ways an NGFW prevents attacks is by using deep packet filtration. This is when the NGFW inspects the header information and contents of data packets trying to cross the firewall. If the NGFW detects a threat, the packet gets discarded, protecting your organization from a potential attack.
You can use both a DNS firewall and an NGFW together, and this could be effective because they perform different functions. But if you have to choose one over the other, you may want to consider the following differences.
Consider the Limitations of NGFWs and DNS Firewalls
Even though an NGFW can inspect incoming data packets, it’s not a DNS server. Therefore, an NGFW can’t inspect DNS queries or responses to identify malware that uses DNS protocols.
At the same time, a DNS firewall port won’t be able to identify malware hidden in data packets. At best, it can only identify malicious sites that have been known to propagate malware. Since a DNS firewall can’t directly detect malware, it’s still best to use an NGFW.
An NGFW can also detect threats based on their behavior, such as where they came from and where they’re trying to go in your network. A DNS firewall can’t perform these functions because it only focuses on checking the DNS data of requests and responses.
Using Both a DNS Firewall and a NGFW Together
In some ways, DNS firewalls and NGFWs are similar in name only. They both act as firewalls in that they prevent threats from trying to enter and exit your network. In addition, they can stop many of the same categories of threats, such as ransomware and other kinds of malware. But that’s where the similarities end.
It’s best to take an integrative approach when considering which one to get. An NGFW may be a more flexible solution, primarily because you can position it at various points in your network. This empowers you to segment your network using multiple NGFWs, creating security “walls” between each segment. Then, if an insider introduces a threat, it may not be able to move east-west to another area of your network because the NGFW is there to catch it. A DNS firewall can’t do this because it’s positioned between your organization’s network and the rest of the internet.
Types of Threats Blocked by DNS Firewalls
A DNS firewall can block a wide range of website-based threats, including:
- Adware
- Phishing websites
- Spyware
- Hijacked Internet Protocol (IP) addresses
- Ransomware
- Nameserver hosts with bad reputations
- Computers infected with botnets
- Data exfiltration
- Botnet hosts
- Malware dropping sites
- Bogon, or illegitimate IP addresses
How Fortinet Can Help
FortiGate, the Next-Generation Firewall (NGFW) by Fortinet, provides the deep packet inspection capabilities you need to prevent breaches and business interruptions from ransomware and other malware. FortiGate also provides full visibility into network activity so you can be aware of threats targeting your system. In addition, you can use one or a few instances of FortiGate to consolidate your security, simplifying your system without sacrificing your protection.
With FortiGuard Labs and Research, you get a range of services that improve your overall threat intelligence posture. For example, your organization gets outbreak alerts regarding new threats that have recently posed a significant danger. FortiGuard also provides reports regarding newly discovered vulnerabilities. And every week, you get threat briefs that outline the most concerning hacker activity on the internet. FortiGuard also provides users with insights and discoveries produced by the FortiGuard research center. These can help cybersecurity teams mitigate the most prevalent attacks.
FAQ
Do I need a DNS firewall?
Not every network needs a DNS firewall, but having one provides a valuable extra layer of protection. For example, if you have an NGFW, a threat from a malicious site could potentially sneak through. Likewise, your NGFW may not be able to stop fileless malware, which is often embedded in apparently benevolent software. But if the site that dropped the malware has been registered by your DNS firewall’s system, then the threat would be prevented.
How do you make DNW work with a firewall?
A DNS works alongside a firewall, and both of them protect your organization from threats. For instance, you can install an NGFW while also having a DNS firewall in place. Every transmission coming from a malicious website that the DNS firewall indicates is a threat gets blocked by your DNS firewall. At the same time, malicious data packets, ones that come from sources other than sites that get flagged by the DNS firewall, can be discarded by your NGFW.
