A DNS Firewall For Every Network
We spend a lot of time talking about CleanBrowsing in the context of content filtering, but in this article we're going to spend some time focusing on the security benefits you get with CleanBrowsing.
By default, security is built into the CleanBrowsing service. It is foundation to every Free and Paid service. Organizations have the ability to consume our Security RPZ feed for a cost, but every Free filter has it "on" by default, and paying customers have the ability to enable or disable the filter from the dashboard.
Our DNS Firewall works to block access to phishing, spam, malware and other malicious domains. Our database of malicious domains is updated hourly and considered to be one of the best in the industry.
Let's shed a little light into how it works, and provide a few real-world examples.
A DNS Primer
DNS is the internets lookup table. It builds a bridge between the domain name (e.g., perezbox.com) and the IP address (e.g., 184.24.56.17). The IP address being where you can find the server that hosts the domain. In addition to its job as a lookup table, it can also serve as an effective security control.
DNS is light weight, doesn’t require an installation, highly effective, conforms to the TTP’s employed by attackers, and, more importantly, affordable.
The CleanBrowsing DNS Firewall
DNS is foundational to how the internet works. It is what makes it so effective for content filtering, but also why it's so important to leverage it for security.
Here is a basic illustration of how communication works with our Security filter:
In addition to working to prevent attacks, it also has another very cool feature in that it also helps thwart attacks even if they make it on the network. Here are a few different tactics employed by bad actors that help illustrate how DNS Firewalls help keep you safe.
| Tactic | Discussion |
|---|---|
| Benign Websites | An attacker compromises a benign site (domain), it’s used to distribute malware, or perform other nefarious activity (e.g., Phishing, SEO Spam, etc…) |
| Malicious Website | An attacker creates a malicious site (domain), it’s sole purpose is to distribute malware, or perform other nefarious activity (e.g., Phishing, SEO Spam, Dropper, etc…) |
| Command & Control (C&C) | Command and Controls (C&C) is what an attacker uses to facilitate their orchestration. Payloads will phone home to C&C’s for instructions on what to do next. |
A great example of how this works is to look at our recent research, in which we were able to uncover an active Spam / Malware network. In that research we spent a week monitoring hackers as they worked through our honeypot. In the process, they sprinkled our server with various malware payloads all designed to abuse our web server and corresponding website. In this specific instance it was about hijacking a benign website and using it to distribute both SPAM and Malware to users.
Our research allowed us to block the entire network via our Security filter, keeping all our users safe from domains intended on doing online visitor harm. We also used that intelligence to reach out to organizations like Linode, CloudFlare and the various registrars to help get these bad actors off the web.
Another great example comes in 2019. In 2019, there were a number of WordPress hacks that exploited a vulnerability in a well known plugin. This exploit affected thousands of sites, including the popular Mailgun service.
Attackers used their access to embed JS code on the sites that would initiate calls to a number of different domains: hellofromhony[.]org, jqueryextd[.]at, adwordstraffic[.]link. These domains would then initiate different actions (including stealing credit card information) depending on the request.
The embedded JS payload initiates a DNS request.
DNS Firewalls Help Create Safe Browsing Experiences
While we spend a lot of time talking about content filtering, security is a very important layer of that filtering. Via DNS we are not only able to stop attacks that look to introduce malicious payloads into your network, but we can use the same technology to look at outbound communications to block ongoing attacks.
It's important to note that this is not a replacement for existing security controls like traditional Firewalls, IPS, HIDS, etc... It should be looked as complementary control.