Managing Domain Name System (DNS) – Internet-safeguarding.com

Managing Domain Name System (DNS)

DNS has been an essential part of the Internet since 1985, essentially locating computers and services from human friendly names.
Most services use DNS and therefore controlling the DNS is a critical component in managing which services uses can and cannot reach.
Blocking or filtering hostnames or domain names is an effective way of controlling access to many applications that we need too to enable effective Information security and safeguarding.

An example of this is the effective blocking of Apple iCloud Private Relay by blocking the service names “mask.icloud.com” and
“mask-h2.icloud.com”.

Within an organisation, the DNS servers client devices use to resolve DNS queries is set via DHCP, to the preferred DNS servers for the organisation, however these can often be changed manually by the user to either a free and ‘open’ server on the Internet, or one controlled by the individual user. Locking down the ability of users to change this should be considered important to general information security, and necessary to implement DNS controls.

DNS has experienced many recent improvements, targeted at improving privacy and security, however many of these also mean that controlling DNS and implementing DNS filtering at a firewall is more challenging.

In order to implement effective DNS controls, it is necessary to force users on the local network to use only DNS servers and services on the local network, to implement logging and filtering on those servers, to block DNS directly from all devices except the local DNS servers at the firewall and to ensure DNS over TLS (DoT), DNS over HTTPS (DoH), DNS over QUIC (DoQ), DNSCrypt are successfully blocked at the firewall.

Examples of circumvention of these kinds of controls:

Browsers and increasingly smartphones and devices implement DoT / DoH / DoQ regardless of the operating systems DNS settings, necessitating effective blocking of these services.
If the user can establish a VPN or Tor connection DNS traffic can be routed via that tunnelled connection evading logging and filtering.
If the user can connect to external DNS servers, such as Google’s 8.8.8.8 & 8.8.4.4, Cloudflare’s 1.1.1.1 services using any supported protocols or other obfuscation, local DNS controls can be evaded.
If the user can access a service via an IP address directly, then DNS controls can be bypassed.

Products we can provide to enable to these controls:

Our commercial VPN blocking products include lists of hosts and domains to implement DNS blocking of these applications on a suitable DNS server and firewall deployments.
Our application control products include lists of hosts and domains to block in order to prevent access to those applications or services.
Our DNS control product includes lists of IP addresses to block traffic at the firewall to prevent access to common public DNS resolver services.

If we process your firewall logs on your behalf, and the logs include URI data, we can detect applications using faked URI’s to bypass NG firewall application controls, such as VPN’s pretending to be Facebook traffic.