In the world that we live in today, just about anything can be considered as prey for the Cyber-attacker. As we have seen with this pandemic, one of the favorite targets has been that of the heisting of domain names in order to create spoofed ones, in which the unsuspecting victim is lured into.
One method in which you can prevent this from happening is to use what is known as “DNS Filtering”. With this, not only do you have more control over the possession of your domain, but you can even blacklist and/or whitelist other domains according to your security policies.
In this article, we see how it can be done in the Windows Platform.
What Kinds of Filtering Can Be Done?
With the tools that area available from Microsoft, you can block not only domains, but subdomains, subnets, and even queries that arise from them if they are deemed to be malicious in nature. The matrix below shows the kinds of DNS Filters that can be applied:
| Type Of Filter | Description |
|---|---|
| The Client Subnet | This filter is typically used to confirm from the subnet from which a request has been sent. |
|
The Transport Protocol |
This is used to filter out for certain transport protocols. Typical examples of this include the Transmission Control Protocol (TCP) and the User Data Protocol |
|
The Internet Protocol |
This can be used to block malicious activities that are found in both the IPv4 and IPv6 network protocols. |
|
The Server Interface IP Address |
This is the actual IP address of the server that sent the query to the DNS Server. By knowing this, any malicious addresses can be blocked. |
| The FQDN | This stands for the Fully Qualified Domain Name, and can also be used for query filtering purposes. |
| The Query Type | This is the type of DNS record that is being queried. |
| The Time Of Day | This is the date and time stamp as to when any malicious query has been blocked. |
(SOURCE: 1).
More Details On DNS Filtering
The following are even more filtering rules that you can put into place:
- Subnet Query Blocking:With this, you can block any kind of query from just about any subnet that is deemed to be malicious in nature. This is typically used when a spoofed website is trying to contact your domain. Use the following command line to initiate the blocking process:Add-DnsServerQueryResolutionPolicy -Name “BlockListPolicyMalicious06” -Action IGNORE – ClientSubnet “EQ,MaliciousSubnet06” –FQDN “EQ,*.phishing.com” -PassThru
For examples, the phishing.com domain is used, and in the other examples that follow.
- Domain Blocking:Using this functionality, you can literally block any malicious domains in their entirety so that they cannot be accessed by your employees. The following command line can be used for this very purpose:Add-DnsServerQueryResolutionPolicy -Name “BlockListPolicy” -Action IGNORE -FQDN “EQ,*.phishing.com” -PassThru
- Query Blocking:With this, you can block queries that contain the syntax “ANY” in them. To launch this, use the following command line:Add-DnsServerQueryResolutionPolicy -Name “BlockListPolicyQType” -Action IGNORE -QType “EQ,ANY” -PassThru
- Whitelisting of Queries:With this functionality, you can whitelist those domains from which queries can be transmitted from. Unless otherwise specified, any other domain will be considered to be blacklisted, and thus no queries can be transmitted from them. To start this particular whitelisting process, use the following command line:Add-DnsServerQueryResolutionPolicy -Name “AllowListPolicyDomain” -Action IGNORE -FQDN “NE,*.phishing.com” -PassThru
- Whitelisting of Subnets:This is the same concept as the above but is only applied to those queries that are coming from the subnets. To deploy this kind of whitelisting process, use the following command line:Add-DnsServerClientSubnet -Name “AllowedSubnet06” -IPv4Subnet 172.0.33.0/24 – PassThru
Add-DnsServerQueryResolutionPolicy -Name “AllowListPolicySubnet” -Action IGNORE -ClientSubnet “NE, AllowedSubnet06” -PassThru - Whitelisting of External Queries:This same concept applies here, but to those external parties that are transmitting queries to your servers. These could include contractors, third party suppliers, etc. Typically, they are normally assigned what are known as “QTypes”. To initiate this process, use the following command line:Add-DnsServerQueryResolutionPolicy -Name “AllowListQType” -Action IGNORE -QType “NE,A,AAAA,MX,NS,SOA” –ServerInterface “EQ,164.8.1.1” -PassThru
Conclusions
If you need further help or training in these command line procedures, or to deploy any other kind of DNS Filtering from Microsoft, contact us today.
Sources
- https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/apply-filters-on-dns-queries
