Share this
DNSFilter Seeing Increased Malicious Activity
by Serena Raymond on May 26, 2023 8:30:00 AM
Over the last week, DNSFilter has seen an increase in phishing attempts. In addition, we’re keeping an eye on a lot of cyber attacks that are getting reported including advanced phishing attacks, PTO phishing attacks, pig butchering and the targeted attacks on critical infrastructure.
Being a highly customizable product, administrators create policies to ensure they are in line with your organization's or clients’ needs. We encourage our customers to regularly review configured policies within DNSFilter as your needs change and as we add new options.
In order to help improve the overall security of your organization, we wanted to highlight some policy options that may not be as well known.
Let’s start with some options to block newly seen domains by DNSFilter:
- New Domains - Domains which have been registered in the last 30 days and which have a high probability of serving malicious resources
- Very New Domains - Domains which have been registered in the last 24 hours which have a high probability of serving malicious resources.
*Note: For a domain to be categorized as New or Very New, it needs to be seen (resolved) by DNSFilter first.
One additional option to further increase protection for newly registered domains but not yet seen (resolved) by DNSFilter is under the Extra Settings section:
- Block Uncategorized Sites - This setting controls whether or not to block domains that the system has not classified (including newly-registered domains). It is off by default because many Content Servers and Content Distribution Networks (CDNs) are served from domains that have no web content to scan but are important to end user experience (Office Online documents, Dropbox uploads etc)
*Note: Because the Block Uncategorized Sites category can impact the user experience, we recommend turning it on individually after a policy is applied and monitoring results.
Another option that may be helpful for any resolved domain is blocking parked domains:
- Parked Sites & Domains - These are sites which are not displaying legitimate content, but instead are showing "Parked" pages with common search terms, "Under Construction" messages, or a list of advertisements. In some cases, these may be newly registered domains. This setting is off by default.
Lastly, with Google introducing new top-level domains, attacks are already being seen on these new domains. DNSFilter can block TLDs simply by entering the TLD (without a ‘.’) in the Block List. For example, to block the entire “.zip” TLD, you would enter “zip” in the Block List.
To summarize some suggested policy configurations:
Baseline Threat Protection | Advanced Threat Protection |
---|---|
Botnet | Botnet |
Cryptomining | Cryptomining |
Malware | Malware |
Very New Domains | New Domains |
Phishing & Deception | Phishing & Deception |
Proxy & Filter Avoidance | Proxy & Filter Avoidance |
Translation Sites | |
Extra Settings: Block Uncategorized Sites | |
Extra Settings: Parked Sites and Domains |
*Note: For Advanced Protection, turn on the categories under Extra Settings individually after applying baseline protection. Watch for tickets generated from users as well as our Query Log to decide if they should remain on. Security is always a balance between protection and usability. Your users need to have enough access to get their work done, in an environment that restricts them from accessing harmful content.
Lastly, no security vendor can guarantee 100% protection, so we encourage organizations to use a layered approach for security which includes security awareness training.
Share this

The impending Cisco Umbrella RC End-of-Life has many Umbrella users concerned about their next steps and questioning which protective DNS solution might be able to fill the gap for their organization.

Industry State of the Art
This month there was a high level of focus on compliance issues spanning several focus areas from governments and oversight agencies around the world. And while there were actions taken with regard to specific vulnerabilities, a larger spotlight was placed on bigger picture security considerations in a more general context.

TL;DR: SASE is broadening—it is about more than just access! It is about endpoint protection and user-based access…and it's called Security Service Edge (SSE). All of the aspects of the joint NSA and CISA guidance on Protective DNS (PDNS) and user-level policies are part of the secure category, originally launched by Gartner in January 2022. Regardless, it’s been interesting to see the NSA and CISA create guidance recognizing the breadth of cyber...