D3-DNSDL

Isolate
DNS Denylisting

Definition

Blocking DNS Network Traffic based on criteria such as IP address, domain name, or DNS query type.

How it works

Rules are implemented that filter DNS queries using criteria such as:

Client subnet

Type of network protocol used in query

Fully qualified domain name (FQDN) of record in the query

DNS Server IP address that received the DNS request

Type of DNS record being queried

Time of day the query is received

Size of the response

For example, a DNS policy can be created for blocking DNS queries for FQDNs that have been identified as unauthorized.

Considerations

Implementation considerations for DNS filtering policies to avoid over-blocking or under-blocking domains.

Continuous maintenance of unauthorized domain lists is needed to keep up to date with possible site content changes.

File sharing or content delivery networks may require other filtering techniques that are more fine-grained (URL blocking).

Access to malicious websites or other network resources directly by IP instead of by DNS record, or after alteration of local DNS hosts file, may not result in DNS network traffic.

Artifact Relationships

This defensive technique relates to specific digital artifacts.

blocks
blocks
DNS Denylisting
Inbound Internet DNS Response Traffic
DNS Network Traffic

References

Reference - Use DNS Policy for Applying Filters on DNS Queries