DNS filtering: securing web traffic from uncontrolled devices
With the growth of uncontrolled equipment, a new need for protection is emerging
Digital transformation has changed our working environments and tools at an incredible speed,
and this is not without consequences in terms of cybersecurity. Indeed, the web has become the primary vector for the spread of malware and other cyber-attacks.
Although the web proxy (or web security gateway) is a formidable and effective tool for protecting corporate web traffic, some recent trends call for a complementary approach. These include
- the acceleration of mobility and uncontrolled workstations connecting to the network, such as cell phones and tablets (also known as BYOD or Bring Your Own Device)
- Increasing number of business applications in use that update themselves autonomously, such as hospital equipment (MRI, etc.).
- Rapid increase in the number of objects connected to the network (peripherals, various sensors, cameras, etc.).
What these new devices have in common is limited computing capacity or a configuration that makes it difficult to deploy a proxification agent.
DNS filtering is a highly effective way of resolving these problems and effectively protecting web traffic on these devices.
What is DNS?
The DNS (Domain Name System) mechanism translates a domain name into the various types of information associated with it, including the IP address of the machine carrying the name.
When users enter a URL into their browser, the latter asks the DNS server, available at a known address, to look up the domain name indicated in the URL and provide the corresponding IP address.
Companies have their own DNS servers for resolving queries from their internal zones, and transfer to other servers for DNS queries that do not concern internal zones.
DNS is a fundamental component of the Internet, used by all devices: workstations, tablets, smartphones, connected objects (IOT).
DNS is therefore an effective means on which DNS filtering tools can rely to ensure that all traffic is processed, and to block all types of threats or inappropriate access on all ports and protocols.
DNS filtering
When a DNS server is configured to block access, it consults a list of prohibited domains. When the browser requests the IP address of one of these domains, the DNS server returns a false resolution. Standards, including RPZ, govern this mechanism, which allows a personalized policy to be introduced into DNS servers, so that recursive resolvers return results that may be modified. By modifying a result, access to the corresponding host can be blocked.
When the DNS server gives a wrong answer or no answer at all, the client workstation is unable to learn the correct IP address of the service it is trying to reach. Without this information, it cannot proceed, and an error message or blocking page is displayed. Since the browser does not retrieve the real IP address of the website, it is unable to contact it to obtain the web page. As a result, all services and web pages served under this domain name are inaccessible.
In some environments, setting up a web proxy can be a complex operation, affecting browsing performance. IT security managers may find shortcomings in these solutions, which only cover certain ports and protocols.
DNS is a fundamental component of the Internet, used by all devices: workstations, tablets, smartphones, connected objects (IOT). As a result, DNS is an effective means on which DNS filtering tools can rely to ensure that all traffic is processed, and to block all types of threats or inappropriate access on all ports and protocols.
The URL database at the heart of DNS filtering
The effectiveness of DNS filtering is closely linked to the quality of the URL base used. DNS is an evolving protocol that can absorb tens of thousands of requests every day, so the same filtering rules must be applied to it as to conventional Internet traffic, to instantly rule out any threat and/or risk of inappropriate surfing.
For example, the Olfeo URL database, updated over the last 20 years by a dedicated team, makes all the difference: 99% of the legitimate web is known; legal surfing categories authorized in France are controlled and DNS traffic is blocked in real time.
What are the use cases for DNS filtering?
School tablets
Many schools provide their pupils with tablet-type equipment to help them learn through digital tools. This equipment must of course contain filtering systems to prevent young pupils from consulting content that is inappropriate, illegal or dangerous to the integrity of the equipment.
Given the sheer number of these devices, it's difficult to deploy and maintain agent- and proxy-based filtering systems on these fleets, especially in nomadic situations - where students take their tablets or PCs home with them.
Agent-free DNS filtering is the ideal solution. Easy to deploy, configure and maintain for schools or town halls, and requiring no local agent on the machines, DNS filtering makes it easy to protect students' web browsing.
Guests on company networks / BYOD
Companies provide their guests (visitors, consultants, service providers) with access to their Internet network (especially wifi) to access the web. With no control and therefore no possibility of installing web filtering agents, visitors' equipment can carry a significant risk.
DNS filtering makes it possible to secure these terminals without needing to have control over the machines. By connecting them to the Internet via a captive wifi portal, for example, it is possible to filter their DNS requests to secure their traffic and apply the corporate Internet charter.
Communicating business equipment - Internet of Things
With the advent of the Internet of Things (IoT), hundreds of millions of devices find themselves connected to the Internet with little cyber-protection and high exposure to attacks. Cameras, thermostats, parking sensors etc. are all devices with simple and limited hardware - for reasons of energy consumption - and cannot benefit from the protection of a filtering agent running on them.
Redirecting their web traffic through a DNS filtering solution is an effective solution, protecting IoT devices without having to install an agent and supervise a large fleet of machines.
Conclusion
DNS filtering is an effective solution for simply securing web traffic on uncontrolled devices such as tablets, BYOD or IoT. Used in conjunction with URL filtering, it protects all IT assets and limits the risk of exposure to malicious domains that could present a security risk.
To find out more about Olfeo's DNS filtering offer, click here to visit our dedicated page.