SOLUZIONI
Offerta di esperienze online di livello superiore
Mitigazione degli attacchi DDoS Blocca l'abuso di bot dannosi Accelerare le applicazioni Internet Assicura la disponibilità delle applicazioni Ottimizzazione dell'esperienza Web Streaming video on demand
Sicurezza delle applicazioni e dei dispositivi dei dipendenti
Sicurezza Zero Trust per le applicazioni Implementa SASE (Secure Access Service Edge) Protezione degli utenti che accedono a Internet Abilitazione di forza lavoro in remoto Manage Secure Contractor Access Replace Virtual Private Networks (VPNs) Secure Your Remote Workforce Stop Zero Day Attacks with Browser Isolation
 
Protezione e accelerazione delle reti
Mitigazione degli attacchi DDoS L3 Collegamento dell'infrastruttura di rete a Cloudflare Transform Corporate Networks
Implementazione codice sul perimetro di rete
Creazione di una applicazione serverless Implementazione di un sito statico Configurazione di una CDN Definizione instradamento condizionale delle richieste
Gestisci un cloud sicuro
Accesso sicuro a piattaforme ibride, cloud e SaaS Abilitazione SSL per applicazioni SaaS Riduzione dei costi di trasferimento dati nel cloud
Registrazione di un sito web
Registrazione o trasferimento di un sito web
SETTORI
eCommerce Gaming Media e intrattenimento Settore pubblico Gruppi di interesse pubblico SaaS
PER L'INFRASTRUTTURA
Sicurezza delle applicazioni e di rete
Protezione dagli attacchi DDoS WAF Gestione dei bot Transizione magica Rate Limiting SSL/TLS Cloudflare Spectrum Interconnessione di rete
Prestazioni e affidabilità
CDN DNS Argo Smart Routing Bilanciamento del carico Diffusione di contenuti in streaming China Network
PER I TEAM
Cloudflare per Teams Access Gateway Browser Isolation
PER SVILUPPATORI
Applicazioni serverless
Cloudflare Workers Cloudflare Workers KV
Registrazione dominio
Cloudflare Registrar
Sviluppo di siti web
Siti per Workers Cloudflare Stream
PER TUTTI / PUBBLICO
1.1.1.1 1.1.1.1 con WARP (App) 1.1.1.1 per le famiglie Cloudflare Radar Campagne elettorali Progetto Galileo Progetto Athenian
APPROFONDIMENTI
Analytics Log di Cloudflare Web analytics
PER L'INFRASTRUTTURA
Sicurezza avanzata
Gestione dei bot Regole del firewall Transizione magica Spectrum (TCP/UDP) SSL WAF
Prestazioni e affidabilità
CDN DNS Ridimensionamento delle immagini Bilanciamento del carico Stream (video) Argo Tunnel
 
Approfondimenti
Analytics
Registrazione dominio
Registrar
PER APPLICAZIONI SERVERLESS
Avvio rapido di Workers Sito Workers Progetti campione Workers Tutorial per Workers Riga di comando (Wrangler) Runtime
PER I TEAM
Access Accesso ai log di controllo Gateway Registri attività di Gateway
ESPLORA L'API DI CLOUDFLARE
API Cloudflare Autenticazione API
DOCUMENTATION HUB
Dev Documentation Hub
RISORSE
Hub risorse White paper Webinar Guide ai prodotti e soluzioni Case study Analisti
ESPLORA
Qual’è la novità? Mappa di rete Cloudflare in Cina GDPR
INIZIA
Registra il tuo sito web Welcome center Ottieni assistenza
IMPARA
Centro di apprendimento Sicurezza DDoS Gestione dei bot SSL Gestione identità e accesso Prestazioni CDN DNS Cloud Serverless Livello di rete
CONNETTITI
Blog Community
CONTATTA
+1 650 319 8930
PARTNER CHANNEL E ALLIANCE
Partner network Portale Partner
PARTNER TECHNOLOGY
Panoramica Partner di analytics Bandwidth Alliance Partnership di interconnessione Portale di peering

What is DNS filtering? | Secure DNS servers

DNS filtering blocks malicious or forbidden websites and applications at the DNS level so that they cannot be loaded on user devices.

Share facebook icon linkedin icon twitter icon email icon
Che cos'è l'IAM?
Controllo di accesso
Sicurezza Zero Trust
Che cos'è SASE?
Secure Web Gateway
Accesso remoto
Glossario

DNS Filtering

Obiettivi di apprendimento

Dopo aver letto questo articolo sarai in grado di:

  • Understand how DNS works
  • Learn where DNS filtering fits into the DNS process
  • Explore the types of attacks that DNS filtering services can block

Argomenti correlati

Controllo di accesso

Prevenzione contro la perdita dei dati

Secure Web Gateway

Che cos'è l'IAM?

What is DNS filtering?

DNS Filtering

DNS filtering is the process of using the Domain Name System to block malicious websites and filter out harmful or inappropriate content. This ensures that company data remains secure and allows companies to have control over what their employees can access on company-managed networks. DNS filtering is often part of a larger access control strategy.

What is the Domain Name System (DNS)?

The Domain Name System, or DNS, matches domain names, like cloudflare.com, to IP addresses, like 192.0.2.24. DNS is necessary in order to allow users to access websites without memorizing confusing lists of numbers – just as a person is able to store their friends' phone numbers in their smartphone contacts list instead of memorizing every individual phone number

Anytime a user opens up a website or accesses a web application, the process of loading the content only starts after the user's device has looked up the correct IP address. These are the steps of discovering an IP address so that a website can load:

  1. Once the user types a domain name into their browser, the user's device creates a DNS query and sends it to a specialized web server called a DNS resolver.
  2. The DNS resolver matches the queried domain name to an IP address either by querying additional DNS servers or by checking its cache.
  3. The DNS resolver sends a reply to the user's device with the correct IP address – this is called "resolving" the domain.
  4. The user's device contacts the server at that IP address to open a connection and begin loading the content.

DNS is an essential part of accessing web content – no content can load before the DNS process occurs. This makes DNS filtering an effective way to exert control over what content users can access.

How do DNS filtering services work?

All DNS queries go to a DNS resolver. Specially configured DNS resolvers can also act as filters by refusing to resolve queries for certain domains that are tracked in a blocklist, thus blocking users from reaching those domains. DNS filtering services can also use an allowlist instead of a blocklist (more below).

Suppose a company employee receives a phishing email and is tricked into clicking a link that leads to malicious-website.com. Before the employee's computer loads the website, it first sends a query to the company's DNS resolving service, which uses DNS filtering. If that malicious site is on that company’s blocklist, the DNS resolver will block the request, preventing malicious-website.com from loading and thwarting the phishing attack.

DNS filtering can blocklist web properties either by domain name or by IP address:

By domain: The DNS resolver does not resolve, or look up, the IP addresses for certain domains at all.

By IP address: The DNS resolver attempts to resolve all domains, but if the IP address is on the blocklist, the resolver will not send it back to the requesting device.

What is a blocklist?

In the context of DNS filtering, a blocklist is a list of known harmful domains or IP addresses. DNS filtering vendors may rely upon blocklists that are shared within the cyber security community, generate their own blocklists, or do both. Some DNS filters will even evaluate webpages and add them to a blocklist automatically. For instance, if malicious JavaScript code is observed to run on example.com, example.com will be added to the blocklist.

DNS filtering may also blocklist domains that are not necessarily used for malware or phishing attacks, but that host forbidden or inappropriate content. For instance, a company may wish to add websites that host adult content to their DNS filtering blocklist.

The reverse of a blocklist, an allowlist is a list of allowed domains or IP addresses. All domains or IP addresses that are not on the allowlist are blocked.

How does DNS filtering help block malware and phishing attacks?

DNS filtering can help keep malware, or malicious software, out of company networks and off of user devices. It can also help block some kinds of phishing attacks.

1. Blocking malicious websites

A website that hosts malware can either attempt to trick users into downloading a malicious program, or execute a drive-by download: a download of a malicious piece of software that is automatically triggered when the webpage loads. A number of other attacks are possible as well. For instance, webpages run JavaScript code, and as a full programming language, JavaScript can be used in a range of ways to compromise user devices.

DNS filtering can prevent these kinds of attacks by blocking users from loading malicious webpages at all.

2. Blocking phishing websites

A phishing website is a fake website that is set up to steal login credentials in phishing attacks. The domain used could be a spoofed domain or just an official-looking domain that most users will not think to question. Regardless of the method, the goal is to fool the user into giving their account credentials to an attacker. These websites can be blocked using DNS filtering.

These capabilities are dependent upon the DNS filtering system knowing to identify the malicious IP addresses or domains as bad. While DNS filtering can block this malicious activity, attackers generate new domains very quickly and it is not possible to blocklist all of them.

How does DNS filtering block prohibited content?

The process for restricting access to certain kinds of content is similar to the process described above; IP addresses or domain names that are known to host prohibited content are blocklisted, and users cannot access them. Alternatively, company-approved websites can be added to an allowlist, with DNS filtering blocking all other websites.

What are secure DNS servers?

A secure DNS server is a DNS resolver that blocks malicious or prohibited websites as part of a DNS filtering service. Some secure DNS servers also offer increased privacy to protect user data; Cloudflare, for example, offers a DNS resolving service called 1.1.1.1 that purges all DNS query logs after 24 hours.

Along with DNS filtering, there are additional ways of making the DNS process more secure, since DNS was not designed with security in mind. The DNSSEC protocol helps verify that DNS resolvers provide accurate information and have not been compromised by an attacker. The DNS over TLS (DoT) and DNS over HTTPS (DoH) protocols encrypt DNS queries and responses so that attackers cannot stalk a user's DNS queries and track the websites they visit.

What is the difference between DNS filtering and web filtering?

Web filtering is a broad term that can refer to a number of methods for controlling web traffic. DNS filtering is one type of web filtering. Other kinds of web filtering include URL filtering, keyword filtering, and content filtering.

Does Cloudflare offer DNS filtering in addition to other DNS services?

Cloudflare offers an authoritative DNS service, a public DNS resolver, and, for companies that want to restrict what employees access on the Internet, DNS filtering capabilities. Cloudflare Gateway is a secure web gateway that includes DNS filtering, along with browser isolation and other technologies that keep internal users secure. Learn more about Cloudflare Gateway, or how secure web gateways work.

To provide you with the best possible experience on our website, we may use cookies, as described here.
By clicking accept, closing this banner, or continuing to browse our websites, you consent to the use of such cookies.