top of page

DNS Firewalls - The Right Option at the Right Time

Some technologies are ground breaking and new, some are old and proven, DNS Firewalls are both old with some new capabilities. There are many articles on DNS firewalling that was first introduced in 2010 by the Internet Consortium. When the Internet first came to be, many of the systems on the Internet were either routers, switches, server or workstations. Today many of the devices have far more control to include temperature controls, power switching, rail and transportation devices, and much more. Smart homes are more common now than ever and the increase in the connected world continues to grow.

As the technologies increase, so to do the attacks and attempts at takeovers, ransomware and other methods to make the Internet less safe. Paul Vixie (arguably the father of the Internet) has written many articles on the benefits of DNS firewall technology. He knows his stuff and should because he created the DNS system in use today. When the RPZ (Response Policy Zone) feature was introduced in 2010, not too many people took notice. Everyone was busy with their snort sensors (detection) or were using hardware firewalls and antivirus to stop the flow of malicious bits. When people failed to understand was that DNS sinkholing could stop many of the threats out there without ever allowing your workstation to even talk to the bad actors.

Paul often remarks that the network is like one big traffic filter. A firewall for instance is designed to either allow access or deny access. Switch ACL's either allow a system to communicate or deny communications. DNS while it's main purpose is to turn internet addresses into fancy names can also block, and in many cases even stop moving targets. See the example below:

  • Threat actor starts attacks from an IP address

  • Once detected administrators put in an IP block in a firewall effectively blocking the threat actor

  • Once the threat actor detects s/he can no longer attack, they move their services to an IP address that is not blocked and the process starts all over again

This is known as the whack-a-mole process and it's still in use 30 years after the Internet took hold, we don't get it.

The Jigsaw Security Enterprise managed security solution includes our big data platform as well as our RPZ sinkhole technology. We don't like blocking IP addresses because it's easy for an actor to move and change how they attack. Instead, we believe that tracking the names and name patterns being used is a much more effective way to deny access to an entire network.

In our system if you wanted any google domain to point to bing as an example you could do the following:


What this does is resolve ANY google subdomain as by using the RPZ servers rewrite capability. Instead of looking up or, the DNS server replaces the response with the defined response of This feature is used to redirect bad activity to websites to prevent malware attacks and all sort of nefarious communications on the Internet.

The system is efficient and a better way to deny threat actors access to your resources. It's like having your own phonebook that will only allow you to call good people. If only everything worked this way in life!

5 views0 comments
bottom of page