DNS-Based Security For Small Business

DNS-based security is a method of protecting networks by leveraging the Domain Name System (DNS) to filter and block access to malicious or suspicious websites before a connection is even established.

While many DNS-based security features focus on blocking sites that may be malicious, it is also commonly used for ad blocking and content blocking. For example, DNS-based tools can also be used to prevent employees (or kids) from visiting inappropriate sites (like pornography), entertainment sites, social media, and more.

DNS-based security is both extremely effective and highly affordable, making it an important addition to any small business. We also include it in our Security Essentials bundle along with other critical cybersecurity technologies like fully-managed MDR; patch and vulnerability management – all for only $25 per month! Security Essentials is designed to provide a turnkey solution to small business cybersecurity at the lowest possible price.

In this article, we’ll cover the basics of how DNS-based security solutions work. Along the way, we’ll look at why DNS-based security is so powerful, how it can be implemented, and what it’s limitations are.

What is DNS?

DNS is a system that converts a web address (like google.com) into an IP address (like 8.8.8.8). We give websites names (called a ‘domain name’) in order to make the internet easier to use. But under the hood, all websites and web applications use IP addresses.

The DNS system makes things easy for us by converting domain names into IP addresses. That’s why it’s called the ‘Domain Name System’.

Understanding DNS – The Phone Book Analogy

The classic way of describing DNS is by using the analogy of a phone book. When we want to call a friend or colleague, we simply look them up using their name. Today, this is almost always done using our ‘Contacts’ list in a smartphone; historically, we also used phone books.

If we didn’t have a way to associate a phone number with a name, we’d have to remember everyone’s phone number! That would be difficult and prone to error.

Websites work the same way. Every website has an IP address (or a set of IP addresses) that are associated with it.

When you type a website name—say, “guardianangelit.com”—into your browser, DNS translates the easy-to-remember name into an IP address. The IP address then tells your computer exactly where to go on the internet to find that website.

Without DNS, you’d have to memorize a long string of numbers for every site you wanted to visit, which would be really inconvenient. Essentially, DNS makes navigating the internet simple and user-friendly by handling all the behind-the-scenes address lookups for you.

What Is DNS-Based Security?

Now that we understand how DNS works, let’s revisit DNS-based security.

It’s actually pretty simple. DNS-based security adds a security filter to the DNS lookup process.

When you type a website address into your browser, your computer sends a DNS query asking, “What is the IP address for this website?” DNS-based security steps in.

Instead of simply looking up the IP address, the system first performs a set of checks to determine if the website name or IP address is included in a list of known malicious or suspicious domains. This list is extremely comprehensive and is constantly updated with information from various threat intelligence sources.

If the website is considered safe, the resolver returns the correct IP address, and your browser connects to the site as usual.

However, if the domain is flagged as malicious—perhaps it’s known for phishing, spreading malware, or hosting harmful content—the DNS-based security system will block the query or provide an alternate answer.

Instead of connecting to the dangerous website, your browser might be redirected to a safe page or simply be prevented from connecting at all.

In this example, we covered how traditional DNS-based security works; newer tools go beyond this simple model, using AI, machine learning, and other methods to significantly improve their ability to detect malicious websites and activity. For example, the DNS security tool that we include with Security Essentials actually uses more than 10 detection engines under the hood, all actively working to protect our customers as they work.

Why DNS-Based Security is Important For Small Business Cybersecurity

There are several important factors that make DNS-based security particularly important and useful for small businesses.

The first is that DNS-based security is powerful. It can block many different kinds of attacks and protect the user from themselves. It’s a great first line of defense against attacks that leverage social engineering, like phishing and business email compromise (BEC). Since DNS is fundamental to how the internet works, DNS-based security tools are extremely effective.

The second is that DNS-based security is cheap. Being an IT company, we are able to see firsthand the costs of various technologies. The cost of DNS-based security depends on the vendor but can be as low as a few dollars per device, per month. That’s how we’re able to include it in our Security Essentials bundle, stacked along with other technologies that cost much more (like MDR). There’s even a free DNS-based security provider called Quad9; it’s limited in functionality and a bit slow, but awesome. And nothing beats free!

Third, DNS-based security blocks attacks before they happen. This can prevent the entire attack chain from occurring because the attacker isn’t able to get a foothold on the system or in the network.

Fourth, it is extremely fast. The time for DNS to be processed is negligible; the speed of a website, for example, is determined almost entirely by the data required by its contents (code, images, video, animations, etc). In contrast, DNS requests and responses have a very small amount of data (almost none) and therefore the entire process is very fast.

Fifth, DNS-based security agents are designed to be lightweight and require few resources, including both memory (RAM) and processing power.

Essentially, when a device tries to access a website, it sends a DNS query to resolve the domain name into an IP address. With DNS-based security in place, this query is intercepted and compared against an up-to-date database of known malicious domains. If the domain is flagged as harmful or associated with cyber threats such as phishing, malware distribution, or command-and-control activities, the DNS server either blocks the request or redirects it to a safe page, effectively preventing the connection from being made.

The Limitations of DNS-Based Security

DNS-based security is a valuable tool, but it does have its limitations.

One major limitation is that it only operates at the DNS level. This means that it only blocks access based on domain names and IP addresses rather than inspecting the content of network traffic. If a threat uses methods that bypass normal DNS queries—such as directly using IP addresses or employing encrypted DNS (like DNS over HTTPS) to avoid detection—the DNS-based security layer may not catch it.

Additionally, DNS-based security relies heavily on threat intelligence databases. If a new or evolving threat hasn’t yet been cataloged, the system might not block it until its databases are updated.

Another limitation is that DNS-based security doesn’t provide visibility into what happens after a connection is made. Once a device successfully resolves a domain name and connects to a site, any malicious activity that occurs during the session remains unchecked by the DNS filter.

There can also be issues with false positives, where legitimate websites are mistakenly blocked, potentially disrupting normal business activities. Moreover, if users or malware change their DNS settings to use alternative servers, they can potentially bypass the DNS-based protections altogether.

To address these limitations, it’s important to adopt a layered security strategy. Endpoint security solutions such as managed detection and response (MDR) can help monitor and block malicious behavior on devices, catching threats that slip past the DNS filter. Network-level defenses like firewalls provide a critical layer of protection by analyzing the actual data traffic for signs of an attack. Secure web gateways and content filtering tools go further by inspecting the content of web pages, ensuring that harmful payloads are caught even if the domain appears benign.