Articles
Why You Should Care About DNS Filtering

Why You Should Care About DNS Filtering

December 1, 2024·
Mike

Businesses have an ironic relationship with ads on web sites and in mobile apps. On one hand, they may want ads in their own web site, or to show to the public to generate new business. On the other hand, loading of ads in web pages can slow a site down and lead to distractions and wasted time at work. But an increasing problem is that some ads are also malicious and when clicked on could put your business information and staff computers in danger.

DNS sketch image

A BBC article from 2019 suggests that ads can slow web sites by up to 60%. Another article from Status Cake says that 40% of ads slow web site loading by too much. So things are a little slower, but when the problem of malicious ads comes up BleepingComputer, even with Google, that’s a real concern.

The risky ads are usually directing people to what seems to be a legitimate piece of software, but often something they would use for sensitive information. Banking apps, crypto wallets and even Google’s own MFA app are targeted with fraudulent versions looking to steal people’s information.

What’s DNS?

DNS is the service that makes the internet work for nice names like kaweka.nz and google.com. Any part of a computer system using a name like that, goes and asks a DNS server for the IP address that the name matches. Without DNS, we’d all be trying to remember IP addresses like 142.250.67.3.

You may have a DNS service in your business now, almost certainly if you have servers and apps that are only available to you when you’re in the office or using the VPN. Even if this isn’t you, the router that connects your staff to the internet has a configuration setting that tells all your computers which DNS server to send all these questions about names and IP addresses to.

DNS Filtering

The DNS server is where we can add a filtering check to block a variety of things including some ads, bad sites and inappropriate material for people in the office. Vendors like Cisco, Palo Alto, Linksys, pfSense and OpnSense (just a few examples) can all be configured to import a list of known bad or unwanted DNS names (e.g. www.badsite.com).

Free options also exist for DNS filtering (Cloudflare, Cisco Umbrella) that will help protect you from malicious web sites and that inappropriate material. But they typically won’t block ads given the tenuous position it might put them in for many of their other customers.

Hosting your own DNS server is fairly easy with products like pi-hole and AdGuard that can run on very low cost computers. These let you block whatever web sites you may want and import curated lists of bad sites and ads. Below is an example of the UpGuard app and blocking almost 60,000 DNS requests over a week.

UpGuard 7 day stats for DNS blocking

Whether you choose to use a free server option to add your own block rule to, or you choose a public provider, the change is fairly easy to get DNS filtering in place.

Depending on your internet router (the device that Chorus probably plugged fibre into and connects your office to the world) you need to go into the settings and either,

  • Set the internet DNS server to the public option you chose. e.g. set 208.67.222.222 and 208.67.220.220 for the Cisco OpenDNS free service; or
  • Configure your router or other internal network config, to point to the AdGuard (or whatever else you might have installed) and set that in your DHCP settings as the option all your internal computers should use for DNS. You still need to configure your internal DNS server (i.e. UpGuard) to point out to a DNS server on the internet. e.g. 1.1.1.1.1 for Cloudflare or 8.8.8.8 for Google to use their respective DNS service.

If you did go for an internal DNS server, it’s important to realise that it must be available all the time. If it stops, then you computers will not have their “what is the IP address for this web site name” questions answered. How do you make it more resiliant? Just add a second DNS server and set it’s IP address in the DHCP setting that get picked up by your office computers.

Here the example from pfSense (the router that does DHCP and gives IP addresses to our office computers) of using two of our own DNS servers.

pfSense configuration for your own internal DNS servers

When you save those settings, your staff computers should start picking up the new settings and will immediately use your DNS server. If things don’t work, just change the DHCP options back again.

You can see the DNS server settings for a Windows computer by opening the command prompt (press Win+r and type cmd.exe and that’s your command prompt). In the command prompt window type ipconfig -all and look for the DNS server line. It should show the same IP addresses you set in your DHCP options.

You’re done. Web pages should load faster and ads show a lot less, including the bad ones. Your business and staff are now better protected than before.

Zero Trust

This sort of DNS configuration is one of the basic components of what’s called Zero Trust. By having a DNS service that you control plus things like identifying and verifying users and devices, you’ll have an extremely strong set of controls to protect your staff and business. We’ll dig into this further in the future.

Last updated on
To the Cloud and BackModern VPN Replacements: A Smarter, Safer Approach to Secure Connectivity