DNS Content Filtering for Business
The online world is full of threats, where one ill-advised action by an employee could give a cyber threat actor the foothold they need to compromise large parts of your network. Once access is gained, sensitive data could be stolen or malware or ransomware could be installed and used for destructive attacks and to extort money from your organization. One of the ways that defenses against web-based attacks can be improved is by adding DNS content filtering to your cybersecurity stack.
DNS content filtering is a method of filtering out undesirable and harmful web content, similar to a parental control filter on a home network. A DNS filter uses the Domain Name System for filtering and prevents access to certain websites based on the IP address. If that IP address has been associated with hackers, spamming, phishing, or cyberattacks in the past, access to the site will be blocked. The DNS filter reviews blacklists of known malicious websites, previous crawls of new websites and web pages, and may also monitor web content in real-time. Should the IP address or web content be deemed dangerous or if it contravenes user-defined policies, access to the content will be prevented and the user will be displayed a block page to inform them why access has not been granted.
DNS content filtering can be implemented by businesses at the network level, and is often applied by Internet Service Providers to prevent customers from accessing illegal web content. DNS content filtering is easy to implement, only requiring a contract with a web filtering provider and a change to the DNS settings to point them to the server provider’s servers. Once that change has been made, all blacklisted sites will be blocked and users can access a web-based interface to apply their settings to enforce acceptable Internet usage policies. This typically involves a few clicks of a mouse to check the different categories of websites that are prohibited. Commonly blocked categories are gaming, gambling, dating, and social media sites for enhancing productivity, hacking forums and peer-2-peer file-sharing networks for security, and hate speech and pornography,
Providers of DNS content filtering services maintain the solution and will constantly update their blacklists as new malicious sites are identified. The solution itself will also be updated so it will not add to the patching burden. DNS filtering is a low-latency service so there will be no perceptible difference in page load speeds.
Sadly, there is no one DNS content filtering solution available that will prevent all malicious websites from being accessed. This is due to the fact that a website must first be deemed malicious before access can be blocked. If a hacker creates a new phishing website, there will be a time lag between the page being created and being discovered and added to the blacklist; however, even with this caveat, DNS content filtering can greatly improve your organization’s cyber defenses.
Can different filtering controls be applied for users and user groups?
Yes. Look for a solution that integrates with directory services such as Active Directory to make this as easy as possible. Most DNS filters allow global policies to be applied, along with different filtering controls for locations, departments, user groups, roles, and individual users.
How much does a DNS filter cost?
The cost can vary considerably from vendor to vendor, so it pays to perform a comparison of features and price. The starting price for an accomplished DNS filter starts at around $12 per user, per year. Some service providers allow customers to spread the cost over time with monthly billing to make content filtering more affordable.
Do I need a DNS content filtering solution?
A DNS content filtering solution can significantly improve your security posture by blocking web-based threats and should be part of your cybersecurity arsenal. Without content filtering, you will be reliant on employees following your acceptable Internet usage policies.
What are the advantages of a DNS filtering service over an appliance?
An appliance has a high initial cost and lacks the flexibility of a DNS filtering service. Appliances have restrictions on the number of simultaneous users, so if your company expands you will need to purchase new appliances. DNS filtering services are highly scalable and adaptable to the changing needs of your business.
Do I need a Business Associate Agreement from a DNS Filtering service provider?
DNS content filtering solutions do not access protected health information, so a business associate agreement is not required.