As mentioned in our earlier blog post, DNSFilter is focused on servicing MSP’s and operators of multiple networks. We will discuss how and why DNSFilter is right for this job. However, what if you are not a managed service provider? Here are our picks for the best DNS content filtering solutions out there depending on your need:
Home users typically have the most basic requirements. As a home user, you are most likely simply trying to secure your home network against being able to visit adult web sites and inappropriate content, in order to keep the internet safer for your children. In this case, I would suggest OpenDNS’s Family Shield service. This is a “set it and forget it” method. Simply point your home router to their DNS servers and filtering will occur against adult content. If you need something more involved than this, or want to see statistics then perhaps it’s time to look at DNSFilter, or OpenDNS’s next level product — HomeVIP. HomeVIP is essentially the deprecated version/pre-cursor to Umbrella.
DNSFilter is focused on providing the best solution for managed service providers (MSPs), operators of multiple networks, wireless ISPs (WISPs), ISPs and small and mid-level organizations. These networks are typically bring-your-own-device (BYOD) networks.
Essentially, any customer looking to provide content filtering and threat protection that must be backed by analytics and a strong anycast network for global or regional reach is the perfect customer for DNSFilter. Our strong suit is the ability to provide transparent pricing, a clean interface and the ability to get you up and running faster than any other provider on the market.
Where DNSFilter currently starts to become a second choice is in the Enterprise market, in my opinion. This is not due to scale — we can handle billions of requests. The situation in which DNSFilter may not be the primary choice for an Enterprise really only comes into play if the Enterprise is looking to provide on-device protection by deploying user agents/programs that control the device’s DNS settings and force requests through a DNS content filter even when the device is out of the network. In most cases, OpenDNS’s umbrella solution is best for this.
However, that being said, DNSFilter can provide the same functionality using third party software. Here are a few examples of software that can be used on your devices to stick with DNSFilter for content filtering while traveling outside of your network:
iOS: DNS Override
Android: DNS Changer and Dynamic DNS Updater
While appliance based content filtering devices such as those produced by Barracuda, Websense, Palo Alto Networks or Fortinet can be functional, I simply cannot recommend them for most of our target customers. It is my feeling that any appliance-based service is moving towards deprecation industry-wide, at least as a majority. The downsides of an appliance is that it costs a lot of money upfront, you must maintain it, there are license fees and support fees forever. Finally, it can also become a point of slowdown on your network as traffic increases.
That being said, DNS filtering does have its limits. It’s part of the ‘onion layers of security’. For a BYOD network, having Network Address Translation (NAT) in place, along with a DNSFilter, is a great first step. Since you don’t control the end-points, you can’t force them to have anti-virus protection; but DNSFiltering can help limit the extent of damage infected nodes can do to the network. By limiting Command and Control botnet connectivity, you can prevent infected nodes from participating in Denial of Service attacks, sending spam, and other malicious actions which can degrade the performance of your network, and cause you to deal with notices from your ISP.
Corporate networks, where they own and control end-points have more control, and have additional layers of security to consider, but often fall victim to those protections being at the office. When increasingly mobile staff is on the road, at a hotel with their company laptop, they also need protection. This is where you need to make sure your only layers of protection are not ‘big boxes’ looking at network traffic at the office.