This posting is really a description of so-called “DNS Firewalls” intended for those who have to deal with security vendors regularly. Having said that, there are DNS firewalls for home users (I cannot make any specific recommendations), so it may be of wider interest.
Calling them “DNS Firewalls” is a bit deceptive (and it is even possible to persuade a security vendor’s salesperson to admit that it’s a bad name for them). Firewalls control network traffic whereas “DNS firewalls” allow you to apply a policy to DNS lookups.
To be fair, the implementation for the most common DNS server is called “Response Policy Zones” (RPZ) which is a little bit on the geeky side. But to be summed up, it allows you to specify a policy when looking up names in the DNS.
What Does It Do?
When you look up names in the DNS – which happens in the background whenever you make a network connection – the DNS server performs that lookup on your behalf. If a “DNS Firewall” is turned on, it can do one of two things :-
- Return a value indicating that the name doesn’t exist (a web browser will show an error page saying something similar to “foo.zonky.org’s server IP address could not be found.”)
- Return an answer to a query that is not the correct answer. Or in other words lie. This can be used to provide an alternate service, or to present a web page explaining why the page is being blocked.
Of course high-end commercial “DNS firewalls” offer to do quite a bit more, but the chief cost is really the threat information feeds that gets turned into a policy. Catching phishing attacks automatically and rapidly.