Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            DNS Firewall: Overview & Setup

            COMPLETE CORE

            Introduction

            This article describes the DNS and DNS Firewall at a high level, as well as Field Effect's approach with our DNS Firewall.

            What is the Domain Name System (DNS) and a DNS Firewall?

            Every website on the internet is given a unique IP address (123.123.123.12) to distinguish itself from other sites. When browsing to www.google.com for example, the Domain Name System (DNS) resolves (or matches) the domain name to its corresponding IP address; 8.8.8.8. Without this DNS system, everyone would have to memorize the IP address associated with every webpage on the internet.


            Since the DNS stores all of these records, it can also be used as a means of "gatekeeping" access, or tracking activity, to websites and content categories. This is known as a DNS Firewall, and can be used to track, as well as block, requests being made to domains that your organization deems as inappropriate, insecure, or malicious.


            Field Effect's On-Network DNS Firewall

            NOTE: The DNS Firewall is only available to MDR Complete clients. Visit our public website to learn more about out service tiers.


            Our DNS Firewall is enabled from within the MDR Portal and supports DNS protection for devices connected to your internal networks (on-network protection), or when connected to external networks (roaming).


            Once enabled, you can restrict access by category (gambling, etc.) or have more granular control with custom allow and block lists. A DNS Firewall dashboard is also available for deeper investigations and insights.


            What is roaming?

            Roaming is currently only support for devices running Windows 10 and above.

Roaming devices do not support the reporting functionality available with on-network protection. We are currently working on adding this reporting functionality for roaming devices.


            While on-network protection can track and restrict access to specified websites content categories, this functionality, as the name implies, only extends to endpoint devices (with the endpoint agent installed) that are connected to your organization's monitored network(s).


            When Roaming is enabled, blocking functionality is extended to external networks (ie: a network that your organization does not monitor). An example of a roaming device would be a laptop or phone connected to a public wi-fi network. To determine whether a device is roaming, the endpoint agent will try to resolve the following domain when connecting to the internet:

            • Name: phishing.cira.ca
            • Address: 162.219.51.2


            If the endpoint agent is able to resolve this request, Roaming will not be enabled for that device. since it is already protected by our DNS Firewall. If the agent can't resolve this request, it will assume that the endpoint device is connected to an external network. In this scenario, the endpoint agent will enable Roaming protection, and restrict access to content based on your configurations.


            Note that there are two cases where our agent will behave differently:

            • Roaming will not apply if we detect that an agent is running on a server, as servers are not typically a type of device that roams between networks.
            • Roaming will not apply to devices while connected to a Virtual Private Network (VPN). The agent assumes that VPNs connections are corporately owned and already configured to use our DNS Firewall. Devices will switch to roaming when not connected to a VPN.


            Enable On-Network Protection

            Please note that it may take up to 3 hours for the DNS Firewall to fully activate after you enable and configure if for your organization (or end client).


            Before making any configuration changes, gather the public IP addresses for every gateway device in your organization, as they need to be added to your organization's Monitoring Profile.


            Prerequisite: add public IP addresses to the Monitoring Profile

            Once you have all your public IP addresses, navigate to the Administration section's Service Profile page, and within the Monitoring Profile section, click on the Public IPs area.



            The Public IPs Window will open. Create a Connection for every network in your organization (headquarters, branch locations, etc.) in the lefthand column. Once you create a connection, add that connection's public IP(s). Once you have done this for every network, click Update.   


            IPv4 and IPv6 are supported inputs, and you can add multiple IPs at once if separated by a comma.



            In the example above, the organization has one Headquarters connection with one IP address. If the network's public IP address should change, they would need to update the public IP address in their Monitoring Profile (which is why a static IP address is preferred). Should the organization expand, a connection would need to be created for every new network.


            Enable On-Network Protection

            Partners: this page is only accessible on a per-client basis. Ensure that the Organization Selector is set to the appropriate client to access this page.


            Navigate to the Administration section's DNS Firewall page and enable the On-Network Protection toggle.



            A new window will open that reiterates that you must configure your gateway device(s) to use our DNS nameservers instead of their defaults. This process will vary depending on your hardware, but you must configure your gateway device to use our DNS nameservers:

            • IPv4 format:
              • Primary: 162.219.51.2
              • Secondary: 162.219.50.2
            • IPv6 format:
              • Primary: 2620:10a:8054::2
              • Secondary: 2620:10a:8055::2


            Once you have made the necessary changes to your gateway device(s), check the confirmation box and click the Update button. This will enable the DNS firewall. Please note that it may take up to 3 hours for the DNS Firewall to fully activate after you enable and configure if for your organization (or end client).


             

            Enable Roaming

            To enable roaming, simply enable the Roaming toggle once the DNS Firewall's on-network protection is enabled.



            Can I use roaming without On-Network protection?

            If you plan on using a different DNS filter service but would like your endpoint devices to leverage Field Effect roaming DNS protection while connected to external networks, our feature supports this. 


            To do so, you will need to add the roaming domain (see What is roaming? above) to your gateway devices as the last entry in your DNS resolvers:

            • Name: phishing.cira.ca
            • Address: 162.219.51.2


            Once this static domain resolution is added to your gateway device(s), the agent will not enable roaming when connected to your network. By adding this static domain resolution last in your list of resolvers, your network will continue to use your exiting DNS filter service. When the agent connects to an external network, and roaming is enabled, it will fail to resolve the phishing.cira.ca domain and enable roaming. When the host re-connects to a network that can pass the phishing.cira.ca domain check, the agent will disable roaming.


            Additional Network Parameters (Optional)

            If you are an advanced user and would like to define your "safe (monitored by your organization)" networks, See Mapping Safe Networks.


            Based on the configuration of your network(s), and how they are monitored, you may be required to provide additional information to enable roaming protection. You can provide the following:

            • Fully Qualified Domain Name (FDQN): Providing this, along with the IP address, helps Field Effect MDR detect your on-prem environments, and to not enable roaming protection to devices connected to it

            • Connection Specific DNS Suffix: Providing this helps us identify networks that you control and therefor do not require roaming protection.

              • A connection-specific DNS suffix must be assigned to a network interface so our agent can recognize the safe network assigned to that interface.

              • It’s recommended that you configure the connection-specific suffix on a Windows client via DHCP.

                • An “ipconfig /all” command will confirm that the suffix is assigned as required.



            Fully Qualified Domain Name

            When adding FDQNs, also provide the IP address, and click Add. Any added FDQNs, and their IP addresses, will be listed below. Once your FQDNs are added, click Update to confirm, and return to the DNS Firewall administration page.



            Connection Specific DNS Suffix

            Simply provide your suffix in the text field and click Add +. Added suffixes will be listed below. Once you add all your suffixes, click Update to confirm, and return to the DNS Firewall administration page.



            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0