DNS Firewall Service

Change the Conversation

Stop Communicating With Bad Actors


Every connection with the Internet, good and bad, starts with a DNS query. Your users rely on DNS to make connections to mission critical applications, websites, and resources on your network. Malware needs DNS to communicate back to their command and control servers to corrupt or steal your data, or complete whatever sinister mission for which the malware was created.

How secure is your DNS server? By turning your DNS server into a ThreatSTOP DNS Firewall, you will ensure that your users can safely connect with the Internet, while preventing threat actors from using them as an attack vector to ransom or exfiltrate your data or turn your network into a botnet for criminal use.

A DNS Firewall is Essential to Your Network Security

DNS Firewalls prevent your systems from communicating with harmful external resources. ThreatSTOP delivers continuous updates containing IP addresses and domains used by threat actors to intercept dangerous and unwanted traffic heading out of your network so the traffic can be blocked, monitored, or redirected to safe locations such as a walled-garden.

  • ThreatSTOP DNS Firewall prevents communications with known threat actors and emerging threats based on our extensive threat intelligence platform.
  • Threats are continuously discovered by our security researchers, tracked by the 50+ threat intelligence sources we integrate into our platform, and automatically shared as policy updates direct to your DNS Firewall.
  • Attacks are prevented by neutralizing malware’s ability to call home, eliminating data destruction or exfiltration that has bypassed existing network security layers.
  • Advanced reporting provides full visibility into blocked DNS queries, and identifies impacted machines, allowing for efficient and accurate remediation.
  • Threat activity blocked by DNS firewalls: phishing, ransomware, malvertising, botnets, typo squats, and other general malware types.
  • The DNS Firewall can block outbound communications to selected geographic locations
  • Users are able to build and manage security policies for the DNS Firewall by selecting from threat types to include, and can add custom IP or domain entries as User Defined Lists

Granular Control Over DNS Actions

One of the biggest advantages of DNS Firewalls is the granular control afforded over the behavior of outbound traffic on the network. The DNS Firewall provides the flexibility to:

  • Determine action taken when an endpoint attempts to connect with a threat actor connections can be blocked with an error response, blocked with no response, allowed to pass through, dropped with no response – effectively cloaking your network, or redirected to a walled garden page of choice.
  • ThreatSTOP DNS Firewall allows blocking at the IP level or the domain (including wildcards) to address common issues with blocking multi-hosted domains.

Easy to Install and Deploy

Deploying and configuring the ThreatSTOP DNS Firewall is fast and easy, usually requiring less than an hour before it is actively blocking threats. Because of this simplicity:

  • Turn your existing DNS servers into a ThreatSTOP DNS Firewall—no new hardware or software required.
  • Our cloud-based service deploys in under an hour. Set your policy and identify devices to be protected via an online portal and immediately start preventing communications with threat actors.
  • Custom, user-defined policies are easy to create and manage in our web portal.
  • The service works with all major DNS servers including Windows Server 2016 and BIND.

How It Works

ThreatSTOP's DNS firewall product is fully customizable using our standard portal and UI. It only takes a few minutes for subscribers to select one of our standard policies or create their own custom policy in our portal. Policies can specify different rules so that, for example, attempts to contact botnet C&C servers can simply be denied while users who click on phishing links see a redirection to a walled garden.

These new rules, customized for their precise policy name, are obtained from the portal and are added to the BIND DNS server configuration files. The DNS server automatically downloads the policy and applies it to all lookups it receives. The policy is automatically updated (by default this is every two hours) so that the policy can block new threats and no longer block access to locations that have been remediated.

RPZ takes action based on the domain name queried (QNAME), the IP address returned (RPZ IP) or the fully qualified domain name (FQDN) or IP address of any of the name servers used in the resolution process (NS IP and NS DNAME). Depending on the match the name server can opt to:

  • Report an error (NXDOMAIN or NODATA).
  • Not return anything (DROP).
  • Return a static IP address (for example,
  • Return a walled garden name (CNAME walledgarden.local).
  • Return the true data (PASSTHRU) - typically used to override a specific host/subdomain in an otherwise suspicious domain.

Supported devices

The ThreatSTOP threat intelligence Web service works with most firewalls and other traffic management devices that can make a forwarding decision based on a DNS lookup. Our RPZ solution works with Bind Server 9.0 +. BIND is open source software that implements the Domain Name System (DNS) protocols for the Internet. It is a reference implementation of those protocols, but it is also production-grade software, suitable for use in high-volume and high-reliability applications. The service also works with the following devices: