What is DNS Blocking?

DNS blocking is a form of Internet filtering control that prevents individuals from accessing certain types of web content, such as webpages hosting phishing kits or malware.

What is DNS?

Every device connected to the internet has a unique IP address that allows it to be identified and located. While IP addresses are computer-friendly, they are not human-friendly. Memorable domain names are therefore used, but these need to be matched with IP addresses. That task is performed by the Domain Name System (DNS).

The DNS is a hierarchical and decentralized naming system for computers and other resources connected to the internet. The DNS acts like an address book for websites. When a user types a website name into their web browser, a DNS lookup is performed to find the corresponding IP address. A query is sent to a recursive DNS server, which makes contact with other servers to find the IP address of the website. If the website exists, the IP address is returned and provided to the browser.

Content Filtering Using a DNS Block

DNS-based content filtering is a form of internet content control that works at the DNS level. When a user attempts to visit a website, such as by clicking a hyperlink in an email or entering a URL into their web browser, a DNS lookup is performed, the IP address is found, and they are directed to the website.

With DNS content filtering, before the IP address is returned, various checks are performed to determine if the website should be loaded. If the website violates policies that have been set in a DNS content filtering service, the website will not be displayed. Instead the user will be directed to a pre-configured DNS block page that explains that the website cannot be viewed because it violates the organization’s Internet usage policies. If the website does not violate any policies, the IP address is returned, and the website will be displayed.

Advantages of DNS Blocking

DNS blocking has advantages over other forms of internet filtering. Since DNS blocking occurs at the DNS lookup stage, all internet filtering takes place before any content is downloaded so there is no impact on the speed at which allowable webpages are loaded. Provided a website is not blocked, an end user will be unaware that any internet filtering controls are in place.

To filter the Internet, it used to be necessary to purchase a physical appliance, through which all Internet traffic is routed. The appliances can be costly, and they have limited capacity. To increase capacity, further appliances need to be purchased. There can also be latency issues with appliance-based filtering, which are avoided with DNS blocking.

DNS blocking takes place in the cloud so there is no requirement to install software and no additional hardware is required to block DNS and filter the Internet. You just need to sign up to a DNS filtering service. After subscribing to the service, you just need to direct your DNS to the service provider’s DNS servers. The process takes just a few minutes.

DNS filtering services are important for cybersecurity as they prevent employees from visiting malicious websites such as those used for malware distribution and phishing. These services can also be used to apply content controls to prevent employees visiting productivity-draining websites at work and viewing NSFW content such as pornography.

DNS Blocking – FAQs

With a DNS blocking service, do I need to input the IP address of every website I don´t want employees to access?

Not at all. DNS blocking services enable system administrators to block website access by category (i.e., gambling, nudity, etc.) and/or by keyword (i.e., YouTube, Netflix, etc.). All you need to do is go into the user friendly dashboard and check whichever categories you want to block. The option also exists to create customized categories if there are additional categories you wish to block access to.

What if I want to prevent online shopping during working hours but need to buy office supplies?

Several options exist to overcome this issue. You can whitelist the URL of your supplier to prevent it being blocked, you can whitelist users so the block on online shopping does not apply, or you can configure the DNS blocking filter so the category is only blocked during working hours – allowing anybody that wants to shop online to do so in their own time.

Do I have to manually block websites hosting malware or is the DNS blocking services already configured to do this?

Most DNS blocking services have a three-tiered filtering system consisting of real-time block lists, category filters, and keyword filters. In most cases, websites known to be hosting malware are identified and blocked automatically by the real-time block lists; however, it is important you confirm with your service vendor that real-time block lists are activated by default.

How is latency avoided with DNS blocking?

When an organization implements an appliance-based Internet filtering system or on-premises Internet filtering software, delays in the filtering process can occur if multiple users are trying to visit different websites simultaneously because of capacity limitation. DNS blocking services are typically hosted in the cloud and are infinity scalable to better cope with peaks and troughs in demand.

What does “NSFW” stand for?

NSFW is an acronym of “not safe for work”. While the acronym was originally applied to pornography, it use has increased to include any online material that could be considered offensive due to violent, racially-abusive, or politically-charged content.