Esc

Hierarchical Domain Denylisting

D3-HDDL (Hierarchical Domain Denylisting)

Definition

Blocking the resolution of any subdomain of a specified domain name.

Synonyms: Hierarchical Domain Blacklisting .

How it works

This technique is used to block DNS queries from related domains and subdomains that are unauthorized.

Hierarchical domain blacklisting considers the blacklisting of second level domains and additional sub-domains and specific hosts for a given query value. A denylist is maintained that contains DNS names and corresponding subdomains, including wildcards, that should be blocked for a given lookup.

Considerations

The denylist of domain names will have to be maintained and will need to be kept up to date
Other domains that resolve to the domain of interest for blocking (CNAME, etc).
Denylists should have identified maintenance cycles to ensure lists are not stale.

json

References

All

User Manual

The following references were used to develop the Hierarchical Domain Denylisting knowledge-base article.

(Note: the consideration of references does not imply specific functionality exists in an offering.)

Use DNS Policy for Applying Filters on DNS Queries

Reference Type: User Manual Organization: Microsoft

Source: https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/apply-filters-on-dns-queries

D3FEND^™

A knowledge graph of cybersecurity countermeasures