- About Us
- Security Center
A DNS firewall is a specialized device that can modify the responses given by a name server. While the typical network firewall blocks or allows traffic between networks based on a set of potentially complex and detailed rules, a DNS firewall has one simple, yet powerful decision to make when responding to a DNS query: should I allow this request, or should I intervene and take action?
There are several scenarios where malicious traffic could traverse a network firewall but be blocked by a DNS firewall:
Imagine a scenario where a user clicks on a link in a phishing email to visit somethingevil.com. At a high level, the following happens:
A DNS firewall can block a malicious request by modifying the response of DNS. By providing a “no data” response to , the network disappears ― it goes into stealth mode in a sense ― which protects the network. The modified response can be any of the following:
By logging and reporting on the requests denied or modified by a DNS firewall, a network administrator can also be alerted to potential problems within a network.
A DNS firewall does more than just block requests for malicious domain names. Let’s say the DNS record for “usuallyagoodwebsite.com” was compromised, and is suddenly resolving to an untrustworthy IP address. A DNS firewall will analyze not only the domain name requested, but the IP address to be returned. If that IP address is malicious, the response will also be intercepted.
The DNS firewall can even block a response based on the address of the authoritative name server. Say an entire name server is known to be poisoned: the DNS firewall can simply block any authoritative response from that name server.
The ThreatSTOP DNS Firewall service uses a feature introduced into BIND name servers called Response Policy Zone (RPZ). Using RPZ, DNS responses become fully customizable.
With ThreatSTOP, specialized RPZ policies can be created and assigned to as many DNS servers as needed. These policies are updated automatically (approximately every two hours) with the latest threats and transferred to your DNS Firewall using standard DNS protocols (and a TSIG key for security validation). RPZ logs from your DNS firewall are also analyzed and used to provide detailed reports on current threats, suspicious activity, and potential vulnerabilities.
Microsoft provides DNS servers for Azure that help to secure your network. ThreatSTOP reinforces your protection by automating the delivery of real-time threat intelligence to your DNS servers for enforcement. By setting up one or more private DNS servers using the ThreatSTOP service, an Azure cloud installation can be protected from known malicious DNS requests, adding a vital layer of protection to Azure's existing security measures. ThreatSTOP recommends using a standard Azure Ubuntu virtual machine running BIND and configured for ThreatSTOP.