--> DNS Firewall is a type of firewall which is used to block/prevent Client DNS Queries to Malicious Domains/IP Addresses.
--> DNS Firewall uses DNS Response Policy zones and threat feeds to prevent most of the attacks.
--> Domain Name Service Response Policy Zones is an another name for the DNS Firewall.
--> DNS Firewall can do following things:
i) Redirecting the queries of malicious domains to a Particular IP address from that we can get to know how many clients accessed the IP address using analytics or insights.
ii) Can block the Malicious IP Subnets/Hostnames when the DNS query for the Malicious IP Subnet/Hostname comes on the DNS Firewall.
iii) Blocking the DNS Server IP addresses which host malicious domains.
--> All the above can be done by configuring Response Policy Zone on the DNS Firewall.
--> DNS Response Policy Zone contains multiple DNS rules with the action associated with it.
--> Each and every rule in the DNS Response Policy Zone can be configured based upon following requirements:
1) DNS Query ( We can block the DNS Query coming as soon as it is coming from the Client)
2) DNS Response ( We can block the DNS Response if it contains malicious IP address or domain in the response)
3) Name Server IP address ( If any Name Server hosting the malicious domains or IP address we can block it)
--> The action can be one of the following if the DNS rule matches:
1) Send Non-Existent Domain Response
2) Send No Data Records Response
3) Change the IP address/FQDN in the DNS Response before sending to the client.
4) Allow DNS Response
--> DNS Firewall also uses threat feeds to get to know the malicious domains present on the Internet.
--> Some of the DNS Firewall vendors provide inbuilt threat feeds and provides the option to integrate with third party threat feed vendors.
--> Placement of the DNS Firewall in the network is the most important criteria to protect most of the attacks.
--> DNS Firewalls mostly implemented on the Internet Edge so that DNS Queries/Responses can be validated before sending it to other Firewalls.
--> Vendors such as F5, Infoblox, Cisco, BlueCat and others provides DNS Firewall functionality.
Reference: F5.com/Cisco.com/kb.isc.org/
Md.Kareemoddin,
CCIE # 54759
Super Duper Explanation
ReplyDelete