Blocking DNS Network Traffic based on criteria such as IP address, domain name, or DNS query type.Synonyms: DNS Blacklisting .
How it works
Rules are implemented that filter DNS queries using criteria such as:
- Client subnet
- Type of network protocol used in query
- Fully qualified domain name (FQDN) of record in the query
- DNS Server IP address that received the DNS request
- Type of DNS record being queried
- Time of day the query is received
- Size of the response
For example, a DNS policy can be created for blocking DNS queries for FQDNs that have been identified as unauthorized.
- Implementation considerations for DNS filtering policies to avoid over-blocking or under-blocking domains.
- Continuous maintenance of unauthorized domain lists is needed to keep up to date with possible site content changes.
- File sharing or content delivery networks may require other filtering techniques that are more fine-grained (URL blocking).
- Access to malicious websites or other network resources directly by IP instead of by DNS record, or after alteration of local DNS hosts file, may not result in DNS network traffic.
There are 7 countermeasure techniques in this category, DNS Denylisting.
|DNS Denylisting||D3-DNSDL||Blocking DNS Network Traffic based on criteria such as IP address, domain name, or DNS query type.||DNS Blacklisting|
|- Homoglyph Denylisting||D3-HDL||Blocking DNS queries that are deceptively similar to legitimate domain names.||Homoglyph Blacklisting|
|- Hierarchical Domain Denylisting||D3-HDDL||Blocking the resolution of any subdomain of a specified domain name.||Hierarchical Domain Blacklisting|
|- Forward Resolution Domain Denylisting||D3-FRDDL||Blocking a lookup based on the query's domain name value.||Forward Resolution Domain Blacklisting|
|- Forward Resolution IP Denylisting||D3-FRIDL||Blocking a DNS lookup's answer's IP address value.||Forward Resolution IP Blacklisting|
|- Reverse Resolution Domain Denylisting||D3-RRDD||Blocking a reverse DNS lookup's answer's domain name value.||Reverse Resolution Domain Blacklisting|
|- Reverse Resolution IP Denylisting||D3-RRID||Blocking a reverse lookup based on the query's IP address value.||Reverse Resolution IP Blacklisting|
The following references were used to develop the DNS Denylisting knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)