10 questions to ask a potential DNS Firewall provider

Ways of deployment

Let’s start with the basics; currently, there are 3 different ways to deploy DNS Firewall:

• On-premises open source software: Threat intelligence data feeds from a third party accessed through your DNS infrastructure.
• On-premises solution/appliance: This is located within your network, working as a management system for your DNS’s security infrastructure, which uses threat intelligence data feeds.
• Cloud: A service which is external to your network, where a third party manages your DNS requests.

1. How is DNS Firewall set-up and configured?

Be certain to look at this implementation holistically and consider the ‘big picture’. Ensure you choose a solution that meets your needs, and not simply one that is the fastest to install. Key elements to consider are:

1. Quality of threat data
2. Pricing
3. Control
4. Flexibility
5. Transparency
6. Support
7. Testing period¹

• On-premises open source software: This is a more technical implementation because you configure the threat intelligence data feeds directly into your DNS. Here it is vital to understand the support that will be given by the service provider during the implementation.
• On-premises appliance: A more in-depth implementation is usually involved. You will be required to make direct changes to your DNS.
• Cloud service: Typically you will only be required to make minimal changes to your DNS set-up. This will simply involve pointing your recursive resolver to a different IP address, through which you will run your DNS resolution.

2. How much does it cost?

Cost is always a key factor when looking at purchasing new services or hardware. Consider if you have (or need to make a business case for) capital budget, or are wanting a solution which can fit into your operational budget, on a subscription basis.

• On-premises open source software: Prices in this category should be amongst the lowest, as you are transferring threat intelligence feeds into your own DNS resolver, and won’t have any hardware costs to pay.
• On-premises appliance: Prices should be lower per user than using a cloud service, given that you are installing something onto your own network. However, establish if any additional fees need to be paid to use ancillary services on these appliances.
• Cloud service: This is generally more expensive per user because of the provider’s infrastructure costs, in addition to the cost of distributing their threat intelligence throughout their network. The set-up is relatively easy (see #1), however, this is a service you share with multiple users, therefore you lose flexibility and control, and you may end up paying for data feeds that you don’t require.

Remember that some on-premises solutions and direct DNS data feeds both have a more complex set-up (see #1). Having said this, you will be rewarded for your efforts by having a large amount of control, both in terms of the different data feeds you utilize, and instant access to your redirect/block information.

3. Can I tailor your threat intelligence data feeds to my needs?

Organizations need to have the flexibility to assess the amount of risk they want to take. Question if you are able to pick the data feeds (i.e. the threat intelligence that’s being used to block/redirect on your network) that provide the right level of security for your business requirements.

Some industries e.g. financial and healthcare services require additional levels of security so they may want to have a strong focus on policy-based data feeds. On the other hand, if you need to be less risk adverse e.g. those managing end-user networks, you don’t want to have to pay for feeds that you don’t use.

Furthermore, there are organizations who require multiple levels of security across different areas of their network, for example, academic institutions will require a different level of protection for students compared to that of the staff.

4. What is the quality and breadth of your Threat Feeds?

Cybercriminals use a range of techniques to extort information, and ultimately money, from their victims. Your DNS Firewall is only as good as the threat data it receives to block connections. These feeds need to be diverse and well researched, protecting you against as many malicious domains as possible. Furthermore your threat data needs to have a low rate of false positives, particularly across non-policy focused feeds.

Whether you go down the route of choosing an appliance or decide to configure your own DNS, you will need to source a supplier for the data feeds. Ensure it is someone who is well established in providing threat intelligence and draws data from a wide range of independent sources.

5. How do I resolve issues with false positives?

If a business critical domain is being redirected/blocked you need to be certain that you can make an exception to the policy decision of your DNS Firewall, so your business can continue to operate without disruption.

• On-premises open source software & appliance: Is there the flexibility to add the domain to a private whitelist to allow you instant access to the blocked domain?
• Cloud services: Check service level agreements (SLAs) for response and action times in relation to whitelisting and/or removing blocked domains that are business critical for you. See to it that these are acceptable to your business needs.

6. How often is your data updated?

Timely threat intelligence is fundamental to countering cybercriminal activities across your network. According to a Ponemon Institute Survey, 37 percent of attackers quit if they can’t yield value after a period of 10 hours.

With this in mind, ensure that the data protecting you is delivered as continuously as possible: An update that occurs only every hour could fail to protect from the potential damage malware can do upon its initial release.

7. Can infected devices be easily traced on my network?

Whilst you can control most of what happens on your network, you can’t control what happens within your customer environment(s) or when employee devices are taken offsite, for example, working at a client’s offices, or from home.

Botnet Command & Controller (Botnet C&C) listings increased by a huge 32% in 2017 (read the full Botnet Threat Report). Given the upsurge in threats from this area, it is vital to be able to trace any infected devices on your network, to enable you to take rapid and effective action.

Establish with your DNS firewall provider how attempted access to malicious sources can be detected using DNS firewalls on your network. Remember to check if there is any need to install additional agents/software, which would lead to additional costs and complexity.

8. How and when will I be notified of issues on my network?

Having ‘control’ is fundamental to most IT security teams. The sooner a threat is flagged, the sooner relevant remediation can take place, be that for your customer if you are an ISP or Hosting provider, or your employee if you are an enterprise business.

• On-premises open source software & appliance: Determine if you have the ability to set up your own logs, so you are immediately aware the moment a block/rewrite occurs, or receive notification if there is an infected client on your network. This will enable you to take action without delay.
• Cloud service: Establish if reports specific to your network are pushed out in real-time. Consider the impact on your business if you had to wait to receive information on a redirect or a botnet infected machine.

9. How stable is your service?

On-premises open source software: Ascertain that any provider of Threat Feeds has multiple access points for their data. This will ensure that even if there is an issue with some of their servers you will continue to receive service from one of their alternative locations.

• On-premises appliance: If you are using an appliance you need to be sure that your DNS will still function, even without the DNS firewall, if the solution fails.
• Cloud service: Be certain of contingency plans in regards to service failure, as this could potentially mean that you could lose all access to DNS connections, crippling your business. Gain a clear understanding of their SLAs, and if they’ve been met historically.

10. Can I write my own redirect pages?

Why is this important? Well, because it is an opportunity to transform something negative i.e. a cybercrime into a teachable moment for the end-user.

A generic message only informs that a block/redirect has occurred:

The requested web page from has been blocked

However, a carefully crafted landing page which provides the end-user with ‘why’ they have been blocked and ‘how’ they can protect themselves in the future will positively contribute to increasing the ongoing security of your network. For further information and examples of “Ëœteachable moment’ landing pages, click here.

Good-luck!

With such a huge growth in the DNS Firewall market over the past few years there are plenty of options to choose from. Simply (!) take the time to understand your business needs and carefully research what option meets them.