Currently we recommend non-profits utilize our Pro plan. This provides great protection at an affordable price. We do offer cost-breaks for larger organizations. Contact sales@dnsfilter.com to learn more.
Yes, DNSFilter provides the easiest CIPA compliance on the market. With just one click, you can block all content necessary to become CIPA compliant and become eligible for e-rate funding. Learn more here: https://fltr.ai/4H-f
Yes! With DNSFilter, you will be able to implement DNS security anywhere in the world—particularly when you use our Roaming Clients deployment. We provide three different methods of implementation based on your needs, meaning you can get DNS protection at all of your locations and when you leave the office.
Yes. Our team can walk you through network deployment. Contact us at sales@dnsfilter.com to set up an initial discovery call.
Yes. We have a detailed integration guide for this use case. Contact us at sales@dnsfilter.com to set up an initial discovery call.
Yes, each partner commits to spend a minimum of $50 each month on user licenses.
Partners receive a discount based on volume. Detailed pricing will be sent to you after trial signup.
Start with a free trial. Select MSP/ISP as your industry during your free trail signup. A link to the partner program application is available under the main navigation in the dashboard if you select MSP as your industry during signup. Use this link directly for any industry (https://app.dnsfilter.com/settings/billing-info/partner-program). Complete the form and after our review of your application and approval into the program, you can access the multi-tenant/MSP dashboard. Feel free to test policies and deployments in the single organization account created on signup but note that transferring policies, sites, and roaming clients to other sub organizations after partner activation is not possible A sub organization matching the name of the MSP account is available for internal use and/or testing
DNSFilter is AI-based threat protection that stops threats at the DNS level. N-able partnered with DNSFilter because of our robust threat protection against phishing, ransomware, and zero-day attacks. DNSFilter is the fastest DNS resolver in North America and identifies threats as early as 7 days ahead of other threat feeds.
N-able customers can now access DNS threat protection within their RMM tool. Talk to your N-able rep about adding DNSFilter to your current RMM or N-central product suite: dnsfilter_sales@solarwinds.com
For access to our REST API, you need to have a professional subscription to DNSFilter, which is a $50 monthly minimum.
Yes, we do.
Yes. DNSFilter has a multi-tenant whitelabel option. Please contact us directly so we can talk through your whitelabeling use case.
OIDC compatible single sign on, on-prem Active Directory, Azure Active Directory, SIEMs (via Splunk style HEC API), Amazon S3 data export, and Zapier.
483 million total domains are categorized. We scan 3 million domains and process 1 trillion DNS requests daily.
IAB categories are far more detailed. There are 26 major categories and 366 total sub-categories. IAB categories are most useful for detailed information about the purpose of a particular domain. They are often used by AdTech companies who need detailed IAB information on each site. Additional information is also returned via API request for IAB categories. In addition to the category and sub category you will receive a confidence score. Our categories represent the most common categories of sites. They are useful for creating content filters or parental controls and blocking major threats when a high level of site granularity is not required for reporting.
Domain classification confidence scores range from 0.0 (not confident) to 1.0 (very confident/manually classified). We consider anything above .006 to be “fairly confident.” Confidence scores are only returned for those who select to receive IAB categories.
Updates to your policy are reflected on device in seconds. Browser and operating system caching can prolong a policy update so take measures to conform to your security needs.
If you want to truly block Discord to increase end user productivity (and not to mention increase security by blocking a site that is known for being a magnet for phishing attacks), this means you need to stay on top of any new domains that Discord starts using. The number might start small, only six, but as these companies grow they continue to add more domains. We’ve seen applications with thousands associated domains. If you wanted to block Microsoft domains, Bing alone has over 50,000 associated domains—and that’s not even taking into account all of Microsoft’s other applications you might want to manage and block. AppAware gives you the power to block what you need to without adding to your workload.
Some might view VPNs as harmless tools used for remote office file access, but they’re also heavily used to bypass content filtering. Over half a million queries to VPN-related domains occur on our network daily, with only 10% of these attempts blocked. However, of the blocked access attempts, 85%are because a security filter was enabled. When your users bypass the DNS security you have in place, you increase the likelihood that a threat will take hold of that device and possibly extend to the rest of your organization. Now you can choose from seven VPN and proxy applications to block once and for all.
Peer-to-peer filesharing sites like the Pirate Bay, BitTorrent, and uTorrent are notorious for infecting computers with malware. Because the user on the other end providing you with content is external to your network, they should not be inherently trusted. This goes for professional applications such as Dropbox as well. What is hosted on these sites and shared isn’t always inspected and deemed secure—leaving your network open to compromise.
Appaware is a next-generation application-blocking tool that enables organizations to seamlessly block common security threats. AppAware allows users to have real-time visibility of application activity on their network, as well as taking immediate and proactive actions to block apps which do not align with their internal policies. AppAware is available to all Enterprise, Pro+, and MSP customers.
With AppAware, organizations can block over 100 high-risk applications—including filesharing, remote desktop and high-risk messaging apps—with a single click and instantly gain insights into the usage of every application across the network.
Content filtering is the act of blocking unwanted web content and allowing “appropriate” or “favorable” content to be visitable. Content filtering can be enabled via software or hardware. The sorting of content into “good” and “bad” is made possible through website categorization. Without the ability to categorize a website, content filtering is not possible.
Unlike URL filtering, DNS filtering blocks domains. But more than that, it actually prevents domains from resolving. This is because when a DNS request is sent and the IP address is received by the DNS resolver, it doesn’t even send that information back to the end user. While content filtering at the DNS level means all pages on a website are blocked, it is much more secure for the end user.
Content filtering isn’t just about blocking disturbing, pornographic, or gambling sites. It’s also about blocking sites that are deemed a cybersecurity threat.
Our Data export feature allows users to export query log data to be utilized by a Security Information and Event Management (SIEM) or other tool of their choice. Exporting DNSFilter data allows an organization to aggregate relevant data from multiple sources and then take action.
DNSFilter's Data Export supports Amazon S3 buckets and also Splunk. Many SIEMs are able to pull data from an S3 bucket enabling many tools to access the exported data from DNSFilter.
At DNSFilter we use our proprietary AI tool, Webshrinker, to continuously scan more than 180,000,000 websites and determine their purpose and content type. We flag sites that potentially contain malware, ransomware, malvertising, or scams, and then allow our customers to block them. This creates a first-line-of-defense by between a click from a user, and serving the harmful page. Additionally, we allow for one-click blocking of domains less than 30 days old.
DNS filtering gives you the ability to filter bad or unwanted content at the DNS level. DNS filtering works by categorizing every single domain you attempt to access and cross-referencing those categorizations and domain names with policies you've determined you want to block.
DNS filtering is defensive software that prevents cybersecurity threats by following simple logic: if a website has something potentially dangerous within it, DNS filtering blocks a user from visiting it in the first place. It’s a zero-trust solution that leaves nothing to chance.
Given its versatility, DNS filtering offers users advanced customization features. Depending upon the needs of your organization, you can choose which types of content are permissible and which to block, specific to your company’s needs. In addition, by enabling DNS-based web filtering, you safeguard your users against malicious content. Let’s take a look at the four main benefits of filtering DNS.
The Domain Name System Security Extensions is a security system that helps verify the origin and integrity of data moving back and forth in a DNS resolution process. Similar to how TLS/SSL works, DNSSEC uses a public/private key pair to cryptographically verify and authenticate DNS data.
With DNSSEC, every DNS request is signed and verified to protect you from exploitation, protecting your brand. DNSSEC verifies the authenticity of the parties involved in a DNS request, prevents DNS cache poisoning and makes DNS data tamper-proof.
Unfortunately, a good DNS poisoning attack will go completely unnoticed to the end user. There will be no visible differences between a real Twitter login page and the spoofed one. This allows the attacker to take advantage of the user’s ignorance to steal sensitive information. Having DNSSEC implemented (and implemented properly) will help prevent these attacks
Simplified UI consolidates multiple reports in a single view. Perform comparison of historical activity across all roaming computers and network sites. Easily see your entire DNS footprint (how many roaming clients and networks are deployed). Drill down to explore the DNS traffic from specific users and computers.
Agent counts, Server’s geolocation, User reports, Roaming client reports and Domain reports
Insights reporting is the simplest way for customers to analyze their DNS query data. Insights reporting provides you with as much detail as you need to uncover anomalies and learn more about your individual network.
A Roaming Client is a tiny piece of software that is installed on a device, where it always runs in the background. It’s primary job is to do two things 1) Ensure all device DNS requests go to DNSFilter where they can be protected and filtered and 2) Embeds the device identity in the DNS requests
In short, any device! Roaming clients can be installed on Windows, Mac, Chrome, iOS or Android devices. Due to Apple policies, iOS devices must be in “Supervised Mode” which means they won’t work with “Bring your own device” setups.
Customers primarily use Roaming Clients to ensure that devices are protected and filtered when they leave your secure network, enforce device level policies (like different policies for IT managers or executives) and to get device level reporting (since the device ID is embedded in the DNS request)
Single Sign-On is an authentication protocol that allows users to sign into different software systems using a single identity. This identity is provided by third-party identity providers like Okta, OneLogin, or Azure AD.
The application you’re trying to authenticate with sets up a trust relationship with the identity provider that already has your authentication credentials. A certificate shared by the identity platform and the software you’re trying to access is used to sign identity information being shared by the two systems.
Active Directory and single sign-on (SSO) are different. Active directory is an on-prem directory service or cloud-based using Azure AD. SSO a cloud-based, web app identity extension point solution. SSO is an identification/authentication service while Active Directory is a full-fledged users and resources management technology
We support a lot of SSO providers, ensuring that setting up SSO on your own is easy and straightforward.
Account owners can simply enter their OAuth 2.0 credentials from an IdP in the SINGLE SIGN-ON section of the SETTINGS page of their DNSFilter account. Once the values have been entered correctly, SSO can be turned on.
Cryptojacking is a malicious form of mining cryptocurrency, sometimes referred to as simply cryptomining malware. Victims of cryptojacking experience the unauthorized takeover of their computer or network so the hackers can “mine” cryptocurrency. Compared to other malicious domain techniques leveraged by threat actors, cryptojacking is relatively new.
While traditional cryptocurrency miners will use their own resources to “mine” for new cryptocurrency, cryptojackers will actually infect a distributed network of computers with malware to utilize another’s computational bandwidth. This slows down the device and, at scale, drives up energy costs.
The targets of cryptojacking attacks can be individuals, or whole organizations where hackers infiltrate and enlist masses of computational resources for their own mining operations. It’s a way for threat actors to increase the size of their cryptowallets without having to pay the energy or resource costs with their own equipment.
In our 2021 Domain Threat Report, we took a close look at cryptocurrency and cryptojacking domains and found high volumes of copycat phishing domains for Bitcoin and cryptojacking domains heavily using the terms Ethereum, Dogecoin, and Litecoin. Many of these cryptojacking sites actually used a variation of the term “mining” in the name of the domain—nearly 19% of all cryptojacking sites identified on our network during the pandemic.
DNSFilter has a robust catalog of known cryptojacking sites, and domains that contain cryptocurrency references can be blocked in a single click.
We also provide our users the ability to block new domains and malware for a blanketed approach to mitigating all malicious cryptomining activity that could be activated at your organization at the DNS layer.
Cryptocurrency made a comeback in 2020, and that had a ripple effect. It wasn’t just investments that were impacted—security was majorly impacted because threat actors saw a new window for compromise.
Ransomware payments are made with cryptocurrency, as they are on the blockchain anonymously and cannot be traced. Because cryptocurrency marketplaces are popular right now, with many investors buying multiple coins, threat actors have chosen to create typosquatting and phishing domains for different cryptocurrencies.
And finally, malicious cryptomining is on the rise as cryptocurrency miners seek to make money, without investing directly in the currencies and without using their own resources.
Cryptojacking will continue to grow, as will other cryptocurrency-related threats.
DNS poisoning. DNS cache poisoning. DNS spoofing. Many names for the same thing: A way for threat actors to insert false DNS records to route traffic intended for a legitimate domain to a fake one. It's called “poisoning” because the false entry (the poison) is injected into the system at a single point and can spread throughout the system, affecting other points. This results in the end user attempting to access a usually safe site, like twitter.com, and getting redirected to the spoofed version. Often, you're taken to a login page where you're asked to submit credentials. In this scenario, you're giving away your Twitter account to the attacker. Once the attacker harvests your login credentials, they redirect you to the original Twitter website to continue your session.
Unfortunately, a good DNS poisoning attack will go completely unnoticed to the end user. There will be no visible differences between a real Twitter login page and the spoofed one. This allows the attacker to take advantage of the user’s ignorance to steal sensitive information. Another way a DNS poisoning attack can appear to an end user is when the domain refuses to load. This is done by attackers to frustrate the users of a service or cause harm to the business of that service. The attacker can substitute the IP address of the original domain with one that is not publicly accessible or simply spoof a “Not Found” page. Governments like China have also been known to spoof domains on their global block lists. In most of these cases, the end-user will likely never know they were the victim of DNS cache poisoning.
There are multiple actions you can take to prevent DNS poisoning. - Implement DNSSEC: DNSFilter fully supports DNSSEC, but proper configuration is key.
- Disable Dynamic DNS: While not everyone is able to disable Dynamic DNS because of their ISP, disabling it or never implementing it is another way to mitigate DNS poisoning.
- Encrypt DNS data: We support both DNS-over-HTTPS and DNS-over-TLS. And of course, you should run regular system updates to ensure you have no newly detected vulnerabilities.
DNS tunneling is a strategy used by black hats to create a covert channel into a victim’s computer or organization’s network. The channel created provides a means of encapsulating a malicious payload within DNS queries to take advantage of the relatively unrestricted flow of DNS traffic—especially in scenarios where almost all other traffic is restricted. DNS tunneling can be detected by performing DNS query analysis or traffic analysis, for example, analyzing the frequency of DNS traffic against a normal traffic benchmark within the network. When anomalies in query count and frequency are detected, a DNS tunneling attack is most likely in effect.
The covert channel created by a DNS tunnel is similar to a criminal breaking into a house: The potential damage they can cause is only limited by their imagination. A common use of DNS tunneling is data exfiltration, a process in which attackers steal information from the victim’s computer. Another use of DNS tunneling is to establish remote access to a victim’s computer or network allowing the attacker to execute malicious commands or install malware. DNS tunneling can also be used in releasing a worm into an organization’s network. This worm can be used to introduce ransomware or to shut down an organization’s business activities.
Having a DNS security platform to filter your DNS requests is one battle-tested solution that can help prevent DNS tunneling attacks. Because DNS tunneling uses DNS queries to establish a malicious connection with the attacker’s computer, monitoring, detecting, and blocking malicious queries proves to be very effective in combating these types of attacks. DNSFilter uses the following strategies to detect and block DNS tunneling attacks:
-Detect phishing attacks that can lead to the installation of malware
-Each time a DNS server receives a DNS request, it is compared against a block list of known malicious domains
-Detection of Domain Generation Algorithms (DGAs) used by attackers to generate random domains for attacks
-Detect unusual DNS traffic patterns
And of course, you should run regular system updates to ensure you have no newly detected vulnerabilities.
“Malware” is short for “malicious software” meant to harm or exploit a service, network, or device usually for financial gain. These malicious attacks can be used to exfiltrate data that can then be sold on the darkweb, to hold the data ransom (as in ransomware attacks), or in the outright destruction of valuable data.
Ransomware, malvertising, worms, spyware, viruses, trojans—malware is a broad term that includes all of these threat types and more.
Because of the wide range of possible malware attacks, downtime and costs can vary dramatically. However, the average cost of a malware attack on a company is $2.6 million according to Accenture.
Malware can spread through a variety of avenues. One of the most effective ways of deploying malware is to host it as a forced-download on a website domain and promote it through a phishing or social engineering attack. Standing up malicious URLs is an incredibly easy and effective way to spread malware. The threat actors usually take advantage of existing sites and hack them to host their malware.
Once someone unknowingly downloads any type of malware, it will usually “callback” to a host server for further instructions. It does this via DNS, and these “callback” signals can be blocked if DNS security is in place. The instructions the malware receives will depend on what type of malware it is: Ransomware, spyware, adware, virus, etc.
Sometimes the malware will act immediately to make itself known, while other times it might stay on your device or network and quietly gather data for a long period of time.
All organizations need to be prepared for a malware attack. Robust backups, application layer encryption, training, anti-virus, password managers, and multi-factor authentication will all aid you in the fight against malware. But one of the best ways to combat a malware attack is to block threats at the DNS layer.
DNS security not only blocks domains hosting malware, but will also stop “callbacks” from malware to host servers. This disables the ability for malicious software to be deployed and take over your computer in the event a malware package is deployed on your computer.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep you and your employees safe.
No one is safe from a phishing attack. Phishing is a type of social engineering attack where someone tries to trick the user into revealing information. This is most often done via malicious websites and emails. Email phishing happens when an email from a sender appears to come from someone you know, but it's actually from a malicious actor. It could be an email from your bank, for example, but what you don't know is that the email actually came from a fake email account and not your bank. The goal of the phisher is to trick you into giving up your login credentials—or any other sensitive information—by clicking on links or downloading attachments that contain malware. Phishers who send out spear phishing emails go a step further and target specific individuals or businesses instead of sending out mass emails indiscriminately. The goal is usually to steal data from those individuals or businesses. The hackers might trick someone into wiring money to them, or they might create a fake form to capture credit card or banking info. The possibilities are endless, but the main goal in all of this is deception.
Phishing is one of the most common tactics used by hackers to gain access to data. Large organizations are often targeted with spear phishing campaigns that are personalized for the company’s security team.
Spear phishing campaigns are harder to detect because they require more time, effort, and resources on behalf of the sender. Hackers are clever in their spear phishing emails, fake ads, or social campaigns. They learn things about your role or you as an individual, and use that as a way to gain your trust and pull off their scheme. Small businesses are also at risk of spear phishing attacks. Common targets include small business owners or managers who have access to company bank accounts or W-2 information. These small companies may not have any cybersecurity measures in place which makes them easy targets for hackers looking for sensitive information without raising suspicion. Phishing attacks have moved from targeting individuals to going after organizations. While large companies with resources are a lucrative target, 1 in 4 data breaches in the US in 2020 involved a small company. Every organization, no matter the size, is at risk.
New domains are the biggest threats when it comes to phishing attacks. These attacks are often assembled quickly from kits, meaning it’s easy for hackers to get new sites up as their old ones are taken down. Old methods, like a list of threat feeds, isn't enough to combat phishing.
With DNS Security, phishing attacks can be prevented by filtering out malicious websites that have never even been seen before.
Every new link you encounter in the course of the day has the possibility of being a phishing website or other malicious site—especially sites that have only been registered in the last 30 days. You can protect your company and your employees by implementing PDNS and blocking new and uncategorized domains, in addition to known phishing sites.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep your entire organization safe.
Traditional ransomware is a type of malware that renders a device (or files and applications on that device) unusable unless the owner pays a ransom to hackers. The device owners are then in the difficult position of either choosing to pay the ransom in exchange for a decryption key (without a clear guarantee they will receive the decryption key) or revert systems to backups and avoid paying the ransom altogether.
However in some cases, backups may be impacted or companies may not have robust enough backups to restore all of their systems.
Getting fully back online after a ransomware attack can take days or even months. In the midst of a ransomware attack, as the organization decides between paying the ransom or rebuilding their systems, many companies need to rely on paper files. Hospitals and government agencies are particularly vulnerable to ransomware attacks, impacting critical systems that may directly result in fatalities.
One major way ransomware is spread is through malicious URLs. These URLs can be shared in emails, SMS text messages, on chat forums like Discord or Slack—even in advertising campaigns on reputable websites.
These websites can host drive-by-downloads where just visiting a site force-downloads malicious software onto your computer that will initiate a ransomware attack.
Phishing campaigns and social engineering are also responsible for spreading ransomware. Fake social media accounts or too-good-to-be-true deals will often point users to malicious URLs, forcing malware downloads. Phishing emails are responsible for 54% of ransomware infections.
Another way ransomware can spread is through malicious attachments, which sometimes will trigger a DNS request.
It’s important that every organization be prepared for a ransomware attack. Robust backups, application layer encryption, training, anti-virus, password managers, and multi-factor authentication will all aid you in the fight against ransomware. But one of the best ways to combat a ransomware attack is to block threats at the DNS layer.
DNS security not only blocks domains hosting ransomware, but will also stop “callbacks” from malware to host servers. This disables the ability for ransomware to be deployed and take over your computer in the event a ransomware package is deployed on your computer.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep you and your employees safe.
Most DNS security setups that validate DNS records (DNS Security Extensions, DNSSEC), or encrypt DNS traffic for protection against malicious eavesdropping (DNS-over-TLS/ DoT or DNS-over-HTTPS/DoH) do not address the trustworthiness of upstream DNS infrastructure that may be compromised or maliciously provisioned. PDNS addresses these concerns by using an external DNS resolver that implements standard protective DNS policies. One of the main functions of the resolver is to examine the domain name queries and the returned IP addresses against threat intelligence. This way, the resolver can help prevent connections to known and suspected malicious domains. Protective DNS (PDNS) operates as a service and is not itself a DNS protocol.
DNS is at the heart of internet operations, but it is not built with security out of the box. Because of this, malicious actors find it attractive to design attacks around the protocol.
These attacks can lead to data exfiltration from compromised hosts, installation of malicious software, the spread of network worms, and ransomware.
Cybersecurity teams, in looking to strengthen the safety of company networks, leverage PDNS to secure an ever-expanding collection of devices, access points, and users. Proper DNS protection offers a zero-trust security solution for any end-user accessing the internet on your network. These services create a secure environment requiring no action or training on your end.
Following the joint statement, the NSA and CISA also released a report listing the guidelines for selecting a Protective DNS provider. These criteria, though not exhaustive, are considered to be the most important attributes to look out for when choosing a Protective DNS provider. The list below shows how DNSFilter satisfies the requirements stated in the report:
-Blocks Malware Domains
-Blocks Phishing Domains
-Malware Domain Generation Algorithm (DGA) Protection
-Leverages machine learning or other heuristics to augment threat feeds
-Content filtering
-Supports API access for SIEM integration or custom analytics
-Web Interface dashboard
-Validates DNSSEC
-DoH/DoT capable
Threat actors use typosquatting because they're relying on internet users to make mistakes. You'll mistype a domain name and find yourself on a site that looks like the one you wanted to land on anyway. If you looked closely at the URL you entered, you'd likely realize the mistake. But the goal here is to look identical to the original site it is mimicking. Typosquatting domains are traditionally used in phishing attacks. Amazon, Microsoft, and banking sites are popular victims of typosquatted phishing domains because they can direct users to login pages they're familiar with and steal their valuable credentials. Other uses for typosquatting include spreading malware. By using a familiar domain name (often swapping the TLD .com for .info or .top), they can bypass advertiser restrictions and trick end users. These ads often lead to malware, also known as malvertising. Typosquatting domains may also be used to sell knockoff brands (like Addidas). The possibilities for these copy cat domains are nearly endless, and hackers are using the ability to capitalize on typos to their advantage.
Phishing is one of the most common tactics used by hackers to gain access to data. And typosquatting plays an important role in phishing. Large organizations are often targeted with spear phishing campaigns that are personalized for the company’s security team. Threat actors will register domains similar to technology used by those companies, or similar in name to the company itself. Depending on the attack, it might come from m1cr0soft[dot]com (similar to a vendor you might use) or company-name-here[dot]info (a copy cat version of your own domain name). Phishing attacks have moved from targeting individuals to going after organizations. That's part of why typosquatting has become important to phishers: They're targeting professionals with some cybersecurity awareness. They need to do everything they can to go undetected. While large companies with resources are a lucrative target, 1 in 4 data breaches in the US in 2020 involved a small company. Every organization, no matter the size, is at risk.
New domains are the biggest threats when it comes to phishing and typosquatting attacks.
With DNS Security, typosquatting domains can be blocked by filtering out malicious websites that have never even been senen before.
Every new link you encounter in the course of the day has the possibility of being a phishing website or other malicious site—especially sites that have only been registered in the last 30 days. You can protect your company and your employees by implementing PDNS and blocking new and uncategorized domains, in addition to known phishing sites.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep your entire organization safe.
A zero-day threat is an attack that has not been seen before and does not match any known malware signatures. It is referred to as a "zero-day" threat because once the flaw is eventually discovered, the developer or organization has "zero days" to then come up with a solution.
By securing your DNS traffic which uses machine learning to perform deep inspection of DNS traffic, achieving greater threat coverage.
Our Sync Tool enables you to scale up to 500,000 Active Directory users. As your team grows, we have the scale to support you. DNSFilter also provides detailed information on sync logs, including any errors that may have occurred during a sync. We also give you more than one viewing mode and a free text search in the logs.
Apply policies at the group and user level. More versatility means more ways to implement a policy. There are seven different layers in our policy hierarchy. If you have an employee who needs to be exempt from their department filtering policy, you can create a custom policy just for them. Or, you can keep it simple and apply the policies at the group level—your deployment will fit your use case.
After a five-minute setup, your Active Directory will be synced with DNSFilter. Any changes you make to your on-premise or cloud AD will be reflected in your DNSFilter dashboard—this includes syncing of dynamic groups. So if someone moves from the IT department to the sales department, you won’t need to manually change their policy or push any changes—everything will be reflected in your instance.
You want to see your Active Directory instance reflected in DNSFilter, but do you want to be completely tied to it? Choose between the manual or managed options for policy enforcement depending on your preference. Do you want total control, or do you want to rely heavily on Active Directory? You’ll have complete flexibility.
Reclaim your valuable time and let computers do the repetitive tasks. Zapier allows for connectivity between thousands of applications you use every day, including DNSFilter.
Get notified when an organization or site is added or deleted from your account. Trigger an action or receive a notification whenever a roaming client or relay is added or removed from your account. Set up alerts that let you know whenever one of your users hits a page block. And automatically trigger workflows for when they request access to content currently blocked by your DNSFilter policy. Make sure your account is secure. Get alerts whenever any of your users disable multi-factor authentication.
Integrate with thousands of applications such as:
-Slack
-Office 365 (O365)
-Gmail
-Jira
-ConnectWise
-Zendesk
-Xero
-Salesforce
-and More!
When a customer signs up for Cisco Umbrella, they face a slew of challenges. The first, and the one we hear repeatedly from our customers and prospects, is the total lack of support for the product. When you have an issue with Cisco Umbrella, it can be nearly impossible to get a hold of someone. This leads to impacted Cisco customers without any DNS security for large chunks of time. The Cisco UI/UX is not intuitive and takes a more technical individual to implement the setup. This means you might need senior technical resources to take on a deployment they don’t have time for, as opposed to passing it over to a more junior engineer. Not to mention, within the Cisco Umbrella UI it is difficult to find things and some things are in multiple places, making it even harder to maintain a sense of where things are and where you can update them. Other common Cisco challenges customers endure are long contracts that lock you in, no investment or innovation on the product (the UI has not evolved very much since its OpenDNS days), and a slower anycast network.
Cisco Umbrella (previously OpenDNS) is a cloud-based DNS security solution, similar to DNSFilter. Umbrella provides basic needs to manage web filtering, includes rudimentary firewall style features like SSL decryption, and has integrations with high value platforms platforms like Connectwise PSA and S3 for log export. However, Cisco Umbrella is not as effective at blocking threats as DNSFilter, is harder to deploy, and has not continued to optimize the product over time.
Cisco Umbrella began as OpenDNS in 2008 as the first cloud-based protective DNS service. OpenDNS was purchased by Cisco in 2014. The name OpenDNS is now used for free filtering for home and families. It has different settings to block threats and/or adult categories compared to its Cisco Umbrella counterpart. To complicate the matter, OpenDNS does have a Home VIP and Umbrella Prosumer paid plan that offers more control over the settings—however this plan is mostly made up of older OpenDNS customers who have been grandfathered in.
Pricing is largely unknown with Cisco Umbrella because there is no public pricing available and all deals require communication with the sales team. Some reports have shown ~ $2.20 per user with a 100 user minimum, but that is mostly speculation. DNSFilter's pricing is $1 per user, with a minimum spend of $20 per month. Discounts are available for MSPs and Education. All pricing is clear on the public website.
The biggest difference between DNSFilter and Cisco Umbrella is the efficacy of DNSFilter's domain classification, which relies on our AI Webshrinker. Further, DNSFilter has an approachable company culture, and customers are involved in our decision making process of which features to implement. We have a transparent pricing model displayed on our public website and our support team is incredibly responsive compared to Cisco's. DNSFilter also offers more whitelabeling options for MSPs.
Creating a universal block list enables you to save time by creating blanketed protection outside of more-granular policies. It’s a definitive way to know that a harmful or inappropriate site will not be accessed across your organization.
Situations where domains fall into a gray area based on certain policies may sometimes be blocked accidentally, creating a hindrance to the business. Configuring an allow list ensures domains necessary for business to continue and run smoothly can be accessed.
Nation-state attacks. Cryptocurrency. The pandemic. These are just a few of the trends that defined cybersecurity over the last year. We've compiled research based on these trends in our annual Domain Threat Report.
DNS poisoning or spoofing is done when an attacker intercepts a DNS request and sends a fabricated (poisoned) response to the client.How do you fight it? DNS encryption, DNSSEC—all features of DNSFilter.
Currently we recommend non-profits utilize our Pro plan. This provides great protection at an affordable price. We do offer cost-breaks for larger organizations. Contact sales@dnsfilter.com to learn more.
Yes, DNSFilter provides the easiest CIPA compliance on the market. With just one click, you can block all content necessary to become CIPA compliant and become eligible for e-rate funding. Learn more here: https://fltr.ai/4H-f
Yes! With DNSFilter, you will be able to implement DNS security anywhere in the world—particularly when you use our Roaming Clients deployment. We provide three different methods of implementation based on your needs, meaning you can get DNS protection at all of your locations and when you leave the office.
Yes. Our team can walk you through network deployment. Contact us at sales@dnsfilter.com to set up an initial discovery call.
Yes. We have a detailed integration guide for this use case. Contact us at sales@dnsfilter.com to set up an initial discovery call.
Yes, each partner commits to spend a minimum of $50 each month on user licenses.
Partners receive a discount based on volume. Detailed pricing will be sent to you after trial signup.
Start with a free trial. Select MSP/ISP as your industry during your free trail signup. A link to the partner program application is available under the main navigation in the dashboard if you select MSP as your industry during signup. Use this link directly for any industry (https://app.dnsfilter.com/settings/billing-info/partner-program). Complete the form and after our review of your application and approval into the program, you can access the multi-tenant/MSP dashboard. Feel free to test policies and deployments in the single organization account created on signup but note that transferring policies, sites, and roaming clients to other sub organizations after partner activation is not possible A sub organization matching the name of the MSP account is available for internal use and/or testing
DNSFilter is AI-based threat protection that stops threats at the DNS level. N-able partnered with DNSFilter because of our robust threat protection against phishing, ransomware, and zero-day attacks. DNSFilter is the fastest DNS resolver in North America and identifies threats as early as 7 days ahead of other threat feeds.
N-able customers can now access DNS threat protection within their RMM tool. Talk to your N-able rep about adding DNSFilter to your current RMM or N-central product suite: dnsfilter_sales@solarwinds.com
For access to our REST API, you need to have a professional subscription to DNSFilter, which is a $50 monthly minimum.
Yes, we do.
Yes. DNSFilter has a multi-tenant whitelabel option. Please contact us directly so we can talk through your whitelabeling use case.
OIDC compatible single sign on, on-prem Active Directory, Azure Active Directory, SIEMs (via Splunk style HEC API), Amazon S3 data export, and Zapier.
483 million total domains are categorized. We scan 3 million domains and process 1 trillion DNS requests daily.
IAB categories are far more detailed. There are 26 major categories and 366 total sub-categories. IAB categories are most useful for detailed information about the purpose of a particular domain. They are often used by AdTech companies who need detailed IAB information on each site. Additional information is also returned via API request for IAB categories. In addition to the category and sub category you will receive a confidence score. Our categories represent the most common categories of sites. They are useful for creating content filters or parental controls and blocking major threats when a high level of site granularity is not required for reporting.
Domain classification confidence scores range from 0.0 (not confident) to 1.0 (very confident/manually classified). We consider anything above .006 to be “fairly confident.” Confidence scores are only returned for those who select to receive IAB categories.
Updates to your policy are reflected on device in seconds. Browser and operating system caching can prolong a policy update so take measures to conform to your security needs.
If you want to truly block Discord to increase end user productivity (and not to mention increase security by blocking a site that is known for being a magnet for phishing attacks), this means you need to stay on top of any new domains that Discord starts using. The number might start small, only six, but as these companies grow they continue to add more domains. We’ve seen applications with thousands associated domains. If you wanted to block Microsoft domains, Bing alone has over 50,000 associated domains—and that’s not even taking into account all of Microsoft’s other applications you might want to manage and block. AppAware gives you the power to block what you need to without adding to your workload.
Some might view VPNs as harmless tools used for remote office file access, but they’re also heavily used to bypass content filtering. Over half a million queries to VPN-related domains occur on our network daily, with only 10% of these attempts blocked. However, of the blocked access attempts, 85%are because a security filter was enabled. When your users bypass the DNS security you have in place, you increase the likelihood that a threat will take hold of that device and possibly extend to the rest of your organization. Now you can choose from seven VPN and proxy applications to block once and for all.
Peer-to-peer filesharing sites like the Pirate Bay, BitTorrent, and uTorrent are notorious for infecting computers with malware. Because the user on the other end providing you with content is external to your network, they should not be inherently trusted. This goes for professional applications such as Dropbox as well. What is hosted on these sites and shared isn’t always inspected and deemed secure—leaving your network open to compromise.
Appaware is a next-generation application-blocking tool that enables organizations to seamlessly block common security threats. AppAware allows users to have real-time visibility of application activity on their network, as well as taking immediate and proactive actions to block apps which do not align with their internal policies. AppAware is available to all Enterprise, Pro+, and MSP customers.
With AppAware, organizations can block over 100 high-risk applications—including filesharing, remote desktop and high-risk messaging apps—with a single click and instantly gain insights into the usage of every application across the network.
Content filtering is the act of blocking unwanted web content and allowing “appropriate” or “favorable” content to be visitable. Content filtering can be enabled via software or hardware. The sorting of content into “good” and “bad” is made possible through website categorization. Without the ability to categorize a website, content filtering is not possible.
Unlike URL filtering, DNS filtering blocks domains. But more than that, it actually prevents domains from resolving. This is because when a DNS request is sent and the IP address is received by the DNS resolver, it doesn’t even send that information back to the end user. While content filtering at the DNS level means all pages on a website are blocked, it is much more secure for the end user.
Content filtering isn’t just about blocking disturbing, pornographic, or gambling sites. It’s also about blocking sites that are deemed a cybersecurity threat.
Our Data export feature allows users to export query log data to be utilized by a Security Information and Event Management (SIEM) or other tool of their choice. Exporting DNSFilter data allows an organization to aggregate relevant data from multiple sources and then take action.
DNSFilter's Data Export supports Amazon S3 buckets and also Splunk. Many SIEMs are able to pull data from an S3 bucket enabling many tools to access the exported data from DNSFilter.
At DNSFilter we use our proprietary AI tool, Webshrinker, to continuously scan more than 180,000,000 websites and determine their purpose and content type. We flag sites that potentially contain malware, ransomware, malvertising, or scams, and then allow our customers to block them. This creates a first-line-of-defense by between a click from a user, and serving the harmful page. Additionally, we allow for one-click blocking of domains less than 30 days old.
DNS filtering gives you the ability to filter bad or unwanted content at the DNS level. DNS filtering works by categorizing every single domain you attempt to access and cross-referencing those categorizations and domain names with policies you've determined you want to block.
DNS filtering is defensive software that prevents cybersecurity threats by following simple logic: if a website has something potentially dangerous within it, DNS filtering blocks a user from visiting it in the first place. It’s a zero-trust solution that leaves nothing to chance.
Given its versatility, DNS filtering offers users advanced customization features. Depending upon the needs of your organization, you can choose which types of content are permissible and which to block, specific to your company’s needs. In addition, by enabling DNS-based web filtering, you safeguard your users against malicious content. Let’s take a look at the four main benefits of filtering DNS.
The Domain Name System Security Extensions is a security system that helps verify the origin and integrity of data moving back and forth in a DNS resolution process. Similar to how TLS/SSL works, DNSSEC uses a public/private key pair to cryptographically verify and authenticate DNS data.
With DNSSEC, every DNS request is signed and verified to protect you from exploitation, protecting your brand. DNSSEC verifies the authenticity of the parties involved in a DNS request, prevents DNS cache poisoning and makes DNS data tamper-proof.
Unfortunately, a good DNS poisoning attack will go completely unnoticed to the end user. There will be no visible differences between a real Twitter login page and the spoofed one. This allows the attacker to take advantage of the user’s ignorance to steal sensitive information. Having DNSSEC implemented (and implemented properly) will help prevent these attacks
Simplified UI consolidates multiple reports in a single view. Perform comparison of historical activity across all roaming computers and network sites. Easily see your entire DNS footprint (how many roaming clients and networks are deployed). Drill down to explore the DNS traffic from specific users and computers.
Agent counts, Server’s geolocation, User reports, Roaming client reports and Domain reports
Insights reporting is the simplest way for customers to analyze their DNS query data. Insights reporting provides you with as much detail as you need to uncover anomalies and learn more about your individual network.
A Roaming Client is a tiny piece of software that is installed on a device, where it always runs in the background. It’s primary job is to do two things 1) Ensure all device DNS requests go to DNSFilter where they can be protected and filtered and 2) Embeds the device identity in the DNS requests
In short, any device! Roaming clients can be installed on Windows, Mac, Chrome, iOS or Android devices. Due to Apple policies, iOS devices must be in “Supervised Mode” which means they won’t work with “Bring your own device” setups.
Customers primarily use Roaming Clients to ensure that devices are protected and filtered when they leave your secure network, enforce device level policies (like different policies for IT managers or executives) and to get device level reporting (since the device ID is embedded in the DNS request)
Single Sign-On is an authentication protocol that allows users to sign into different software systems using a single identity. This identity is provided by third-party identity providers like Okta, OneLogin, or Azure AD.
The application you’re trying to authenticate with sets up a trust relationship with the identity provider that already has your authentication credentials. A certificate shared by the identity platform and the software you’re trying to access is used to sign identity information being shared by the two systems.
Active Directory and single sign-on (SSO) are different. Active directory is an on-prem directory service or cloud-based using Azure AD. SSO a cloud-based, web app identity extension point solution. SSO is an identification/authentication service while Active Directory is a full-fledged users and resources management technology
We support a lot of SSO providers, ensuring that setting up SSO on your own is easy and straightforward.
Account owners can simply enter their OAuth 2.0 credentials from an IdP in the SINGLE SIGN-ON section of the SETTINGS page of their DNSFilter account. Once the values have been entered correctly, SSO can be turned on.
Cryptojacking is a malicious form of mining cryptocurrency, sometimes referred to as simply cryptomining malware. Victims of cryptojacking experience the unauthorized takeover of their computer or network so the hackers can “mine” cryptocurrency. Compared to other malicious domain techniques leveraged by threat actors, cryptojacking is relatively new.
While traditional cryptocurrency miners will use their own resources to “mine” for new cryptocurrency, cryptojackers will actually infect a distributed network of computers with malware to utilize another’s computational bandwidth. This slows down the device and, at scale, drives up energy costs.
The targets of cryptojacking attacks can be individuals, or whole organizations where hackers infiltrate and enlist masses of computational resources for their own mining operations. It’s a way for threat actors to increase the size of their cryptowallets without having to pay the energy or resource costs with their own equipment.
In our 2021 Domain Threat Report, we took a close look at cryptocurrency and cryptojacking domains and found high volumes of copycat phishing domains for Bitcoin and cryptojacking domains heavily using the terms Ethereum, Dogecoin, and Litecoin. Many of these cryptojacking sites actually used a variation of the term “mining” in the name of the domain—nearly 19% of all cryptojacking sites identified on our network during the pandemic.
DNSFilter has a robust catalog of known cryptojacking sites, and domains that contain cryptocurrency references can be blocked in a single click.
We also provide our users the ability to block new domains and malware for a blanketed approach to mitigating all malicious cryptomining activity that could be activated at your organization at the DNS layer.
Cryptocurrency made a comeback in 2020, and that had a ripple effect. It wasn’t just investments that were impacted—security was majorly impacted because threat actors saw a new window for compromise.
Ransomware payments are made with cryptocurrency, as they are on the blockchain anonymously and cannot be traced. Because cryptocurrency marketplaces are popular right now, with many investors buying multiple coins, threat actors have chosen to create typosquatting and phishing domains for different cryptocurrencies.
And finally, malicious cryptomining is on the rise as cryptocurrency miners seek to make money, without investing directly in the currencies and without using their own resources.
Cryptojacking will continue to grow, as will other cryptocurrency-related threats.
DNS poisoning. DNS cache poisoning. DNS spoofing. Many names for the same thing: A way for threat actors to insert false DNS records to route traffic intended for a legitimate domain to a fake one. It's called “poisoning” because the false entry (the poison) is injected into the system at a single point and can spread throughout the system, affecting other points. This results in the end user attempting to access a usually safe site, like twitter.com, and getting redirected to the spoofed version. Often, you're taken to a login page where you're asked to submit credentials. In this scenario, you're giving away your Twitter account to the attacker. Once the attacker harvests your login credentials, they redirect you to the original Twitter website to continue your session.
Unfortunately, a good DNS poisoning attack will go completely unnoticed to the end user. There will be no visible differences between a real Twitter login page and the spoofed one. This allows the attacker to take advantage of the user’s ignorance to steal sensitive information. Another way a DNS poisoning attack can appear to an end user is when the domain refuses to load. This is done by attackers to frustrate the users of a service or cause harm to the business of that service. The attacker can substitute the IP address of the original domain with one that is not publicly accessible or simply spoof a “Not Found” page. Governments like China have also been known to spoof domains on their global block lists. In most of these cases, the end-user will likely never know they were the victim of DNS cache poisoning.
There are multiple actions you can take to prevent DNS poisoning. - Implement DNSSEC: DNSFilter fully supports DNSSEC, but proper configuration is key.
- Disable Dynamic DNS: While not everyone is able to disable Dynamic DNS because of their ISP, disabling it or never implementing it is another way to mitigate DNS poisoning.
- Encrypt DNS data: We support both DNS-over-HTTPS and DNS-over-TLS. And of course, you should run regular system updates to ensure you have no newly detected vulnerabilities.
DNS tunneling is a strategy used by black hats to create a covert channel into a victim’s computer or organization’s network. The channel created provides a means of encapsulating a malicious payload within DNS queries to take advantage of the relatively unrestricted flow of DNS traffic—especially in scenarios where almost all other traffic is restricted. DNS tunneling can be detected by performing DNS query analysis or traffic analysis, for example, analyzing the frequency of DNS traffic against a normal traffic benchmark within the network. When anomalies in query count and frequency are detected, a DNS tunneling attack is most likely in effect.
The covert channel created by a DNS tunnel is similar to a criminal breaking into a house: The potential damage they can cause is only limited by their imagination. A common use of DNS tunneling is data exfiltration, a process in which attackers steal information from the victim’s computer. Another use of DNS tunneling is to establish remote access to a victim’s computer or network allowing the attacker to execute malicious commands or install malware. DNS tunneling can also be used in releasing a worm into an organization’s network. This worm can be used to introduce ransomware or to shut down an organization’s business activities.
Having a DNS security platform to filter your DNS requests is one battle-tested solution that can help prevent DNS tunneling attacks. Because DNS tunneling uses DNS queries to establish a malicious connection with the attacker’s computer, monitoring, detecting, and blocking malicious queries proves to be very effective in combating these types of attacks. DNSFilter uses the following strategies to detect and block DNS tunneling attacks:
-Detect phishing attacks that can lead to the installation of malware
-Each time a DNS server receives a DNS request, it is compared against a block list of known malicious domains
-Detection of Domain Generation Algorithms (DGAs) used by attackers to generate random domains for attacks
-Detect unusual DNS traffic patterns
And of course, you should run regular system updates to ensure you have no newly detected vulnerabilities.
“Malware” is short for “malicious software” meant to harm or exploit a service, network, or device usually for financial gain. These malicious attacks can be used to exfiltrate data that can then be sold on the darkweb, to hold the data ransom (as in ransomware attacks), or in the outright destruction of valuable data.
Ransomware, malvertising, worms, spyware, viruses, trojans—malware is a broad term that includes all of these threat types and more.
Because of the wide range of possible malware attacks, downtime and costs can vary dramatically. However, the average cost of a malware attack on a company is $2.6 million according to Accenture.
Malware can spread through a variety of avenues. One of the most effective ways of deploying malware is to host it as a forced-download on a website domain and promote it through a phishing or social engineering attack. Standing up malicious URLs is an incredibly easy and effective way to spread malware. The threat actors usually take advantage of existing sites and hack them to host their malware.
Once someone unknowingly downloads any type of malware, it will usually “callback” to a host server for further instructions. It does this via DNS, and these “callback” signals can be blocked if DNS security is in place. The instructions the malware receives will depend on what type of malware it is: Ransomware, spyware, adware, virus, etc.
Sometimes the malware will act immediately to make itself known, while other times it might stay on your device or network and quietly gather data for a long period of time.
All organizations need to be prepared for a malware attack. Robust backups, application layer encryption, training, anti-virus, password managers, and multi-factor authentication will all aid you in the fight against malware. But one of the best ways to combat a malware attack is to block threats at the DNS layer.
DNS security not only blocks domains hosting malware, but will also stop “callbacks” from malware to host servers. This disables the ability for malicious software to be deployed and take over your computer in the event a malware package is deployed on your computer.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep you and your employees safe.
No one is safe from a phishing attack. Phishing is a type of social engineering attack where someone tries to trick the user into revealing information. This is most often done via malicious websites and emails. Email phishing happens when an email from a sender appears to come from someone you know, but it's actually from a malicious actor. It could be an email from your bank, for example, but what you don't know is that the email actually came from a fake email account and not your bank. The goal of the phisher is to trick you into giving up your login credentials—or any other sensitive information—by clicking on links or downloading attachments that contain malware. Phishers who send out spear phishing emails go a step further and target specific individuals or businesses instead of sending out mass emails indiscriminately. The goal is usually to steal data from those individuals or businesses. The hackers might trick someone into wiring money to them, or they might create a fake form to capture credit card or banking info. The possibilities are endless, but the main goal in all of this is deception.
Phishing is one of the most common tactics used by hackers to gain access to data. Large organizations are often targeted with spear phishing campaigns that are personalized for the company’s security team.
Spear phishing campaigns are harder to detect because they require more time, effort, and resources on behalf of the sender. Hackers are clever in their spear phishing emails, fake ads, or social campaigns. They learn things about your role or you as an individual, and use that as a way to gain your trust and pull off their scheme. Small businesses are also at risk of spear phishing attacks. Common targets include small business owners or managers who have access to company bank accounts or W-2 information. These small companies may not have any cybersecurity measures in place which makes them easy targets for hackers looking for sensitive information without raising suspicion. Phishing attacks have moved from targeting individuals to going after organizations. While large companies with resources are a lucrative target, 1 in 4 data breaches in the US in 2020 involved a small company. Every organization, no matter the size, is at risk.
New domains are the biggest threats when it comes to phishing attacks. These attacks are often assembled quickly from kits, meaning it’s easy for hackers to get new sites up as their old ones are taken down. Old methods, like a list of threat feeds, isn't enough to combat phishing.
With DNS Security, phishing attacks can be prevented by filtering out malicious websites that have never even been seen before.
Every new link you encounter in the course of the day has the possibility of being a phishing website or other malicious site—especially sites that have only been registered in the last 30 days. You can protect your company and your employees by implementing PDNS and blocking new and uncategorized domains, in addition to known phishing sites.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep your entire organization safe.
Traditional ransomware is a type of malware that renders a device (or files and applications on that device) unusable unless the owner pays a ransom to hackers. The device owners are then in the difficult position of either choosing to pay the ransom in exchange for a decryption key (without a clear guarantee they will receive the decryption key) or revert systems to backups and avoid paying the ransom altogether.
However in some cases, backups may be impacted or companies may not have robust enough backups to restore all of their systems.
Getting fully back online after a ransomware attack can take days or even months. In the midst of a ransomware attack, as the organization decides between paying the ransom or rebuilding their systems, many companies need to rely on paper files. Hospitals and government agencies are particularly vulnerable to ransomware attacks, impacting critical systems that may directly result in fatalities.
One major way ransomware is spread is through malicious URLs. These URLs can be shared in emails, SMS text messages, on chat forums like Discord or Slack—even in advertising campaigns on reputable websites.
These websites can host drive-by-downloads where just visiting a site force-downloads malicious software onto your computer that will initiate a ransomware attack.
Phishing campaigns and social engineering are also responsible for spreading ransomware. Fake social media accounts or too-good-to-be-true deals will often point users to malicious URLs, forcing malware downloads. Phishing emails are responsible for 54% of ransomware infections.
Another way ransomware can spread is through malicious attachments, which sometimes will trigger a DNS request.
It’s important that every organization be prepared for a ransomware attack. Robust backups, application layer encryption, training, anti-virus, password managers, and multi-factor authentication will all aid you in the fight against ransomware. But one of the best ways to combat a ransomware attack is to block threats at the DNS layer.
DNS security not only blocks domains hosting ransomware, but will also stop “callbacks” from malware to host servers. This disables the ability for ransomware to be deployed and take over your computer in the event a ransomware package is deployed on your computer.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep you and your employees safe.
Most DNS security setups that validate DNS records (DNS Security Extensions, DNSSEC), or encrypt DNS traffic for protection against malicious eavesdropping (DNS-over-TLS/ DoT or DNS-over-HTTPS/DoH) do not address the trustworthiness of upstream DNS infrastructure that may be compromised or maliciously provisioned. PDNS addresses these concerns by using an external DNS resolver that implements standard protective DNS policies. One of the main functions of the resolver is to examine the domain name queries and the returned IP addresses against threat intelligence. This way, the resolver can help prevent connections to known and suspected malicious domains. Protective DNS (PDNS) operates as a service and is not itself a DNS protocol.
DNS is at the heart of internet operations, but it is not built with security out of the box. Because of this, malicious actors find it attractive to design attacks around the protocol.
These attacks can lead to data exfiltration from compromised hosts, installation of malicious software, the spread of network worms, and ransomware.
Cybersecurity teams, in looking to strengthen the safety of company networks, leverage PDNS to secure an ever-expanding collection of devices, access points, and users. Proper DNS protection offers a zero-trust security solution for any end-user accessing the internet on your network. These services create a secure environment requiring no action or training on your end.
Following the joint statement, the NSA and CISA also released a report listing the guidelines for selecting a Protective DNS provider. These criteria, though not exhaustive, are considered to be the most important attributes to look out for when choosing a Protective DNS provider. The list below shows how DNSFilter satisfies the requirements stated in the report:
-Blocks Malware Domains
-Blocks Phishing Domains
-Malware Domain Generation Algorithm (DGA) Protection
-Leverages machine learning or other heuristics to augment threat feeds
-Content filtering
-Supports API access for SIEM integration or custom analytics
-Web Interface dashboard
-Validates DNSSEC
-DoH/DoT capable
Threat actors use typosquatting because they're relying on internet users to make mistakes. You'll mistype a domain name and find yourself on a site that looks like the one you wanted to land on anyway. If you looked closely at the URL you entered, you'd likely realize the mistake. But the goal here is to look identical to the original site it is mimicking. Typosquatting domains are traditionally used in phishing attacks. Amazon, Microsoft, and banking sites are popular victims of typosquatted phishing domains because they can direct users to login pages they're familiar with and steal their valuable credentials. Other uses for typosquatting include spreading malware. By using a familiar domain name (often swapping the TLD .com for .info or .top), they can bypass advertiser restrictions and trick end users. These ads often lead to malware, also known as malvertising. Typosquatting domains may also be used to sell knockoff brands (like Addidas). The possibilities for these copy cat domains are nearly endless, and hackers are using the ability to capitalize on typos to their advantage.
Phishing is one of the most common tactics used by hackers to gain access to data. And typosquatting plays an important role in phishing. Large organizations are often targeted with spear phishing campaigns that are personalized for the company’s security team. Threat actors will register domains similar to technology used by those companies, or similar in name to the company itself. Depending on the attack, it might come from m1cr0soft[dot]com (similar to a vendor you might use) or company-name-here[dot]info (a copy cat version of your own domain name). Phishing attacks have moved from targeting individuals to going after organizations. That's part of why typosquatting has become important to phishers: They're targeting professionals with some cybersecurity awareness. They need to do everything they can to go undetected. While large companies with resources are a lucrative target, 1 in 4 data breaches in the US in 2020 involved a small company. Every organization, no matter the size, is at risk.
New domains are the biggest threats when it comes to phishing and typosquatting attacks.
With DNS Security, typosquatting domains can be blocked by filtering out malicious websites that have never even been senen before.
Every new link you encounter in the course of the day has the possibility of being a phishing website or other malicious site—especially sites that have only been registered in the last 30 days. You can protect your company and your employees by implementing PDNS and blocking new and uncategorized domains, in addition to known phishing sites.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep your entire organization safe.
A zero-day threat is an attack that has not been seen before and does not match any known malware signatures. It is referred to as a "zero-day" threat because once the flaw is eventually discovered, the developer or organization has "zero days" to then come up with a solution.
By securing your DNS traffic which uses machine learning to perform deep inspection of DNS traffic, achieving greater threat coverage.
Our Sync Tool enables you to scale up to 500,000 Active Directory users. As your team grows, we have the scale to support you. DNSFilter also provides detailed information on sync logs, including any errors that may have occurred during a sync. We also give you more than one viewing mode and a free text search in the logs.
Apply policies at the group and user level. More versatility means more ways to implement a policy. There are seven different layers in our policy hierarchy. If you have an employee who needs to be exempt from their department filtering policy, you can create a custom policy just for them. Or, you can keep it simple and apply the policies at the group level—your deployment will fit your use case.
After a five-minute setup, your Active Directory will be synced with DNSFilter. Any changes you make to your on-premise or cloud AD will be reflected in your DNSFilter dashboard—this includes syncing of dynamic groups. So if someone moves from the IT department to the sales department, you won’t need to manually change their policy or push any changes—everything will be reflected in your instance.
You want to see your Active Directory instance reflected in DNSFilter, but do you want to be completely tied to it? Choose between the manual or managed options for policy enforcement depending on your preference. Do you want total control, or do you want to rely heavily on Active Directory? You’ll have complete flexibility.
Reclaim your valuable time and let computers do the repetitive tasks. Zapier allows for connectivity between thousands of applications you use every day, including DNSFilter.
Get notified when an organization or site is added or deleted from your account. Trigger an action or receive a notification whenever a roaming client or relay is added or removed from your account. Set up alerts that let you know whenever one of your users hits a page block. And automatically trigger workflows for when they request access to content currently blocked by your DNSFilter policy. Make sure your account is secure. Get alerts whenever any of your users disable multi-factor authentication.
Integrate with thousands of applications such as:
-Slack
-Office 365 (O365)
-Gmail
-Jira
-ConnectWise
-Zendesk
-Xero
-Salesforce
-and More!
When a customer signs up for Cisco Umbrella, they face a slew of challenges. The first, and the one we hear repeatedly from our customers and prospects, is the total lack of support for the product. When you have an issue with Cisco Umbrella, it can be nearly impossible to get a hold of someone. This leads to impacted Cisco customers without any DNS security for large chunks of time. The Cisco UI/UX is not intuitive and takes a more technical individual to implement the setup. This means you might need senior technical resources to take on a deployment they don’t have time for, as opposed to passing it over to a more junior engineer. Not to mention, within the Cisco Umbrella UI it is difficult to find things and some things are in multiple places, making it even harder to maintain a sense of where things are and where you can update them. Other common Cisco challenges customers endure are long contracts that lock you in, no investment or innovation on the product (the UI has not evolved very much since its OpenDNS days), and a slower anycast network.
Cisco Umbrella (previously OpenDNS) is a cloud-based DNS security solution, similar to DNSFilter. Umbrella provides basic needs to manage web filtering, includes rudimentary firewall style features like SSL decryption, and has integrations with high value platforms platforms like Connectwise PSA and S3 for log export. However, Cisco Umbrella is not as effective at blocking threats as DNSFilter, is harder to deploy, and has not continued to optimize the product over time.
Cisco Umbrella began as OpenDNS in 2008 as the first cloud-based protective DNS service. OpenDNS was purchased by Cisco in 2014. The name OpenDNS is now used for free filtering for home and families. It has different settings to block threats and/or adult categories compared to its Cisco Umbrella counterpart. To complicate the matter, OpenDNS does have a Home VIP and Umbrella Prosumer paid plan that offers more control over the settings—however this plan is mostly made up of older OpenDNS customers who have been grandfathered in.
Pricing is largely unknown with Cisco Umbrella because there is no public pricing available and all deals require communication with the sales team. Some reports have shown ~ $2.20 per user with a 100 user minimum, but that is mostly speculation. DNSFilter's pricing is $1 per user, with a minimum spend of $20 per month. Discounts are available for MSPs and Education. All pricing is clear on the public website.
The biggest difference between DNSFilter and Cisco Umbrella is the efficacy of DNSFilter's domain classification, which relies on our AI Webshrinker. Further, DNSFilter has an approachable company culture, and customers are involved in our decision making process of which features to implement. We have a transparent pricing model displayed on our public website and our support team is incredibly responsive compared to Cisco's. DNSFilter also offers more whitelabeling options for MSPs.
Creating a universal block list enables you to save time by creating blanketed protection outside of more-granular policies. It’s a definitive way to know that a harmful or inappropriate site will not be accessed across your organization.
Situations where domains fall into a gray area based on certain policies may sometimes be blocked accidentally, creating a hindrance to the business. Configuring an allow list ensures domains necessary for business to continue and run smoothly can be accessed.
Currently we recommend non-profits utilize our Pro plan. This provides great protection at an affordable price. We do offer cost-breaks for larger organizations. Contact sales@dnsfilter.com to learn more.
Yes, DNSFilter provides the easiest CIPA compliance on the market. With just one click, you can block all content necessary to become CIPA compliant and become eligible for e-rate funding. Learn more here: https://fltr.ai/4H-f
Yes! With DNSFilter, you will be able to implement DNS security anywhere in the world—particularly when you use our Roaming Clients deployment. We provide three different methods of implementation based on your needs, meaning you can get DNS protection at all of your locations and when you leave the office.
Yes. Our team can walk you through network deployment. Contact us at sales@dnsfilter.com to set up an initial discovery call.
Yes. We have a detailed integration guide for this use case. Contact us at sales@dnsfilter.com to set up an initial discovery call.
Yes, each partner commits to spend a minimum of $50 each month on user licenses.
Partners receive a discount based on volume. Detailed pricing will be sent to you after trial signup.
Start with a free trial. Select MSP/ISP as your industry during your free trail signup. A link to the partner program application is available under the main navigation in the dashboard if you select MSP as your industry during signup. Use this link directly for any industry (https://app.dnsfilter.com/settings/billing-info/partner-program). Complete the form and after our review of your application and approval into the program, you can access the multi-tenant/MSP dashboard. Feel free to test policies and deployments in the single organization account created on signup but note that transferring policies, sites, and roaming clients to other sub organizations after partner activation is not possible A sub organization matching the name of the MSP account is available for internal use and/or testing
DNSFilter is AI-based threat protection that stops threats at the DNS level. N-able partnered with DNSFilter because of our robust threat protection against phishing, ransomware, and zero-day attacks. DNSFilter is the fastest DNS resolver in North America and identifies threats as early as 7 days ahead of other threat feeds.
N-able customers can now access DNS threat protection within their RMM tool. Talk to your N-able rep about adding DNSFilter to your current RMM or N-central product suite: dnsfilter_sales@solarwinds.com
For access to our REST API, you need to have a professional subscription to DNSFilter, which is a $50 monthly minimum.
Yes, we do.
Yes. DNSFilter has a multi-tenant whitelabel option. Please contact us directly so we can talk through your whitelabeling use case.
OIDC compatible single sign on, on-prem Active Directory, Azure Active Directory, SIEMs (via Splunk style HEC API), Amazon S3 data export, and Zapier.
483 million total domains are categorized. We scan 3 million domains and process 1 trillion DNS requests daily.
IAB categories are far more detailed. There are 26 major categories and 366 total sub-categories. IAB categories are most useful for detailed information about the purpose of a particular domain. They are often used by AdTech companies who need detailed IAB information on each site. Additional information is also returned via API request for IAB categories. In addition to the category and sub category you will receive a confidence score. Our categories represent the most common categories of sites. They are useful for creating content filters or parental controls and blocking major threats when a high level of site granularity is not required for reporting.
Domain classification confidence scores range from 0.0 (not confident) to 1.0 (very confident/manually classified). We consider anything above .006 to be “fairly confident.” Confidence scores are only returned for those who select to receive IAB categories.
Updates to your policy are reflected on device in seconds. Browser and operating system caching can prolong a policy update so take measures to conform to your security needs.
If you want to truly block Discord to increase end user productivity (and not to mention increase security by blocking a site that is known for being a magnet for phishing attacks), this means you need to stay on top of any new domains that Discord starts using. The number might start small, only six, but as these companies grow they continue to add more domains. We’ve seen applications with thousands associated domains. If you wanted to block Microsoft domains, Bing alone has over 50,000 associated domains—and that’s not even taking into account all of Microsoft’s other applications you might want to manage and block. AppAware gives you the power to block what you need to without adding to your workload.
Some might view VPNs as harmless tools used for remote office file access, but they’re also heavily used to bypass content filtering. Over half a million queries to VPN-related domains occur on our network daily, with only 10% of these attempts blocked. However, of the blocked access attempts, 85%are because a security filter was enabled. When your users bypass the DNS security you have in place, you increase the likelihood that a threat will take hold of that device and possibly extend to the rest of your organization. Now you can choose from seven VPN and proxy applications to block once and for all.
Peer-to-peer filesharing sites like the Pirate Bay, BitTorrent, and uTorrent are notorious for infecting computers with malware. Because the user on the other end providing you with content is external to your network, they should not be inherently trusted. This goes for professional applications such as Dropbox as well. What is hosted on these sites and shared isn’t always inspected and deemed secure—leaving your network open to compromise.
Appaware is a next-generation application-blocking tool that enables organizations to seamlessly block common security threats. AppAware allows users to have real-time visibility of application activity on their network, as well as taking immediate and proactive actions to block apps which do not align with their internal policies. AppAware is available to all Enterprise, Pro+, and MSP customers.
With AppAware, organizations can block over 100 high-risk applications—including filesharing, remote desktop and high-risk messaging apps—with a single click and instantly gain insights into the usage of every application across the network.
Content filtering is the act of blocking unwanted web content and allowing “appropriate” or “favorable” content to be visitable. Content filtering can be enabled via software or hardware. The sorting of content into “good” and “bad” is made possible through website categorization. Without the ability to categorize a website, content filtering is not possible.
Unlike URL filtering, DNS filtering blocks domains. But more than that, it actually prevents domains from resolving. This is because when a DNS request is sent and the IP address is received by the DNS resolver, it doesn’t even send that information back to the end user. While content filtering at the DNS level means all pages on a website are blocked, it is much more secure for the end user.
Content filtering isn’t just about blocking disturbing, pornographic, or gambling sites. It’s also about blocking sites that are deemed a cybersecurity threat.
Our Data export feature allows users to export query log data to be utilized by a Security Information and Event Management (SIEM) or other tool of their choice. Exporting DNSFilter data allows an organization to aggregate relevant data from multiple sources and then take action.
DNSFilter's Data Export supports Amazon S3 buckets and also Splunk. Many SIEMs are able to pull data from an S3 bucket enabling many tools to access the exported data from DNSFilter.
At DNSFilter we use our proprietary AI tool, Webshrinker, to continuously scan more than 180,000,000 websites and determine their purpose and content type. We flag sites that potentially contain malware, ransomware, malvertising, or scams, and then allow our customers to block them. This creates a first-line-of-defense by between a click from a user, and serving the harmful page. Additionally, we allow for one-click blocking of domains less than 30 days old.
DNS filtering gives you the ability to filter bad or unwanted content at the DNS level. DNS filtering works by categorizing every single domain you attempt to access and cross-referencing those categorizations and domain names with policies you've determined you want to block.
DNS filtering is defensive software that prevents cybersecurity threats by following simple logic: if a website has something potentially dangerous within it, DNS filtering blocks a user from visiting it in the first place. It’s a zero-trust solution that leaves nothing to chance.
Given its versatility, DNS filtering offers users advanced customization features. Depending upon the needs of your organization, you can choose which types of content are permissible and which to block, specific to your company’s needs. In addition, by enabling DNS-based web filtering, you safeguard your users against malicious content. Let’s take a look at the four main benefits of filtering DNS.
The Domain Name System Security Extensions is a security system that helps verify the origin and integrity of data moving back and forth in a DNS resolution process. Similar to how TLS/SSL works, DNSSEC uses a public/private key pair to cryptographically verify and authenticate DNS data.
With DNSSEC, every DNS request is signed and verified to protect you from exploitation, protecting your brand. DNSSEC verifies the authenticity of the parties involved in a DNS request, prevents DNS cache poisoning and makes DNS data tamper-proof.
Unfortunately, a good DNS poisoning attack will go completely unnoticed to the end user. There will be no visible differences between a real Twitter login page and the spoofed one. This allows the attacker to take advantage of the user’s ignorance to steal sensitive information. Having DNSSEC implemented (and implemented properly) will help prevent these attacks
Simplified UI consolidates multiple reports in a single view. Perform comparison of historical activity across all roaming computers and network sites. Easily see your entire DNS footprint (how many roaming clients and networks are deployed). Drill down to explore the DNS traffic from specific users and computers.
Agent counts, Server’s geolocation, User reports, Roaming client reports and Domain reports
Insights reporting is the simplest way for customers to analyze their DNS query data. Insights reporting provides you with as much detail as you need to uncover anomalies and learn more about your individual network.
A Roaming Client is a tiny piece of software that is installed on a device, where it always runs in the background. It’s primary job is to do two things 1) Ensure all device DNS requests go to DNSFilter where they can be protected and filtered and 2) Embeds the device identity in the DNS requests
In short, any device! Roaming clients can be installed on Windows, Mac, Chrome, iOS or Android devices. Due to Apple policies, iOS devices must be in “Supervised Mode” which means they won’t work with “Bring your own device” setups.
Customers primarily use Roaming Clients to ensure that devices are protected and filtered when they leave your secure network, enforce device level policies (like different policies for IT managers or executives) and to get device level reporting (since the device ID is embedded in the DNS request)
Single Sign-On is an authentication protocol that allows users to sign into different software systems using a single identity. This identity is provided by third-party identity providers like Okta, OneLogin, or Azure AD.
The application you’re trying to authenticate with sets up a trust relationship with the identity provider that already has your authentication credentials. A certificate shared by the identity platform and the software you’re trying to access is used to sign identity information being shared by the two systems.
Active Directory and single sign-on (SSO) are different. Active directory is an on-prem directory service or cloud-based using Azure AD. SSO a cloud-based, web app identity extension point solution. SSO is an identification/authentication service while Active Directory is a full-fledged users and resources management technology
We support a lot of SSO providers, ensuring that setting up SSO on your own is easy and straightforward.
Account owners can simply enter their OAuth 2.0 credentials from an IdP in the SINGLE SIGN-ON section of the SETTINGS page of their DNSFilter account. Once the values have been entered correctly, SSO can be turned on.
Cryptojacking is a malicious form of mining cryptocurrency, sometimes referred to as simply cryptomining malware. Victims of cryptojacking experience the unauthorized takeover of their computer or network so the hackers can “mine” cryptocurrency. Compared to other malicious domain techniques leveraged by threat actors, cryptojacking is relatively new.
While traditional cryptocurrency miners will use their own resources to “mine” for new cryptocurrency, cryptojackers will actually infect a distributed network of computers with malware to utilize another’s computational bandwidth. This slows down the device and, at scale, drives up energy costs.
The targets of cryptojacking attacks can be individuals, or whole organizations where hackers infiltrate and enlist masses of computational resources for their own mining operations. It’s a way for threat actors to increase the size of their cryptowallets without having to pay the energy or resource costs with their own equipment.
In our 2021 Domain Threat Report, we took a close look at cryptocurrency and cryptojacking domains and found high volumes of copycat phishing domains for Bitcoin and cryptojacking domains heavily using the terms Ethereum, Dogecoin, and Litecoin. Many of these cryptojacking sites actually used a variation of the term “mining” in the name of the domain—nearly 19% of all cryptojacking sites identified on our network during the pandemic.
DNSFilter has a robust catalog of known cryptojacking sites, and domains that contain cryptocurrency references can be blocked in a single click.
We also provide our users the ability to block new domains and malware for a blanketed approach to mitigating all malicious cryptomining activity that could be activated at your organization at the DNS layer.
Cryptocurrency made a comeback in 2020, and that had a ripple effect. It wasn’t just investments that were impacted—security was majorly impacted because threat actors saw a new window for compromise.
Ransomware payments are made with cryptocurrency, as they are on the blockchain anonymously and cannot be traced. Because cryptocurrency marketplaces are popular right now, with many investors buying multiple coins, threat actors have chosen to create typosquatting and phishing domains for different cryptocurrencies.
And finally, malicious cryptomining is on the rise as cryptocurrency miners seek to make money, without investing directly in the currencies and without using their own resources.
Cryptojacking will continue to grow, as will other cryptocurrency-related threats.
DNS poisoning. DNS cache poisoning. DNS spoofing. Many names for the same thing: A way for threat actors to insert false DNS records to route traffic intended for a legitimate domain to a fake one. It's called “poisoning” because the false entry (the poison) is injected into the system at a single point and can spread throughout the system, affecting other points. This results in the end user attempting to access a usually safe site, like twitter.com, and getting redirected to the spoofed version. Often, you're taken to a login page where you're asked to submit credentials. In this scenario, you're giving away your Twitter account to the attacker. Once the attacker harvests your login credentials, they redirect you to the original Twitter website to continue your session.
Unfortunately, a good DNS poisoning attack will go completely unnoticed to the end user. There will be no visible differences between a real Twitter login page and the spoofed one. This allows the attacker to take advantage of the user’s ignorance to steal sensitive information. Another way a DNS poisoning attack can appear to an end user is when the domain refuses to load. This is done by attackers to frustrate the users of a service or cause harm to the business of that service. The attacker can substitute the IP address of the original domain with one that is not publicly accessible or simply spoof a “Not Found” page. Governments like China have also been known to spoof domains on their global block lists. In most of these cases, the end-user will likely never know they were the victim of DNS cache poisoning.
There are multiple actions you can take to prevent DNS poisoning. - Implement DNSSEC: DNSFilter fully supports DNSSEC, but proper configuration is key.
- Disable Dynamic DNS: While not everyone is able to disable Dynamic DNS because of their ISP, disabling it or never implementing it is another way to mitigate DNS poisoning.
- Encrypt DNS data: We support both DNS-over-HTTPS and DNS-over-TLS. And of course, you should run regular system updates to ensure you have no newly detected vulnerabilities.
DNS tunneling is a strategy used by black hats to create a covert channel into a victim’s computer or organization’s network. The channel created provides a means of encapsulating a malicious payload within DNS queries to take advantage of the relatively unrestricted flow of DNS traffic—especially in scenarios where almost all other traffic is restricted. DNS tunneling can be detected by performing DNS query analysis or traffic analysis, for example, analyzing the frequency of DNS traffic against a normal traffic benchmark within the network. When anomalies in query count and frequency are detected, a DNS tunneling attack is most likely in effect.
The covert channel created by a DNS tunnel is similar to a criminal breaking into a house: The potential damage they can cause is only limited by their imagination. A common use of DNS tunneling is data exfiltration, a process in which attackers steal information from the victim’s computer. Another use of DNS tunneling is to establish remote access to a victim’s computer or network allowing the attacker to execute malicious commands or install malware. DNS tunneling can also be used in releasing a worm into an organization’s network. This worm can be used to introduce ransomware or to shut down an organization’s business activities.
Having a DNS security platform to filter your DNS requests is one battle-tested solution that can help prevent DNS tunneling attacks. Because DNS tunneling uses DNS queries to establish a malicious connection with the attacker’s computer, monitoring, detecting, and blocking malicious queries proves to be very effective in combating these types of attacks. DNSFilter uses the following strategies to detect and block DNS tunneling attacks:
-Detect phishing attacks that can lead to the installation of malware
-Each time a DNS server receives a DNS request, it is compared against a block list of known malicious domains
-Detection of Domain Generation Algorithms (DGAs) used by attackers to generate random domains for attacks
-Detect unusual DNS traffic patterns
And of course, you should run regular system updates to ensure you have no newly detected vulnerabilities.
“Malware” is short for “malicious software” meant to harm or exploit a service, network, or device usually for financial gain. These malicious attacks can be used to exfiltrate data that can then be sold on the darkweb, to hold the data ransom (as in ransomware attacks), or in the outright destruction of valuable data.
Ransomware, malvertising, worms, spyware, viruses, trojans—malware is a broad term that includes all of these threat types and more.
Because of the wide range of possible malware attacks, downtime and costs can vary dramatically. However, the average cost of a malware attack on a company is $2.6 million according to Accenture.
Malware can spread through a variety of avenues. One of the most effective ways of deploying malware is to host it as a forced-download on a website domain and promote it through a phishing or social engineering attack. Standing up malicious URLs is an incredibly easy and effective way to spread malware. The threat actors usually take advantage of existing sites and hack them to host their malware.
Once someone unknowingly downloads any type of malware, it will usually “callback” to a host server for further instructions. It does this via DNS, and these “callback” signals can be blocked if DNS security is in place. The instructions the malware receives will depend on what type of malware it is: Ransomware, spyware, adware, virus, etc.
Sometimes the malware will act immediately to make itself known, while other times it might stay on your device or network and quietly gather data for a long period of time.
All organizations need to be prepared for a malware attack. Robust backups, application layer encryption, training, anti-virus, password managers, and multi-factor authentication will all aid you in the fight against malware. But one of the best ways to combat a malware attack is to block threats at the DNS layer.
DNS security not only blocks domains hosting malware, but will also stop “callbacks” from malware to host servers. This disables the ability for malicious software to be deployed and take over your computer in the event a malware package is deployed on your computer.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep you and your employees safe.
No one is safe from a phishing attack. Phishing is a type of social engineering attack where someone tries to trick the user into revealing information. This is most often done via malicious websites and emails. Email phishing happens when an email from a sender appears to come from someone you know, but it's actually from a malicious actor. It could be an email from your bank, for example, but what you don't know is that the email actually came from a fake email account and not your bank. The goal of the phisher is to trick you into giving up your login credentials—or any other sensitive information—by clicking on links or downloading attachments that contain malware. Phishers who send out spear phishing emails go a step further and target specific individuals or businesses instead of sending out mass emails indiscriminately. The goal is usually to steal data from those individuals or businesses. The hackers might trick someone into wiring money to them, or they might create a fake form to capture credit card or banking info. The possibilities are endless, but the main goal in all of this is deception.
Phishing is one of the most common tactics used by hackers to gain access to data. Large organizations are often targeted with spear phishing campaigns that are personalized for the company’s security team.
Spear phishing campaigns are harder to detect because they require more time, effort, and resources on behalf of the sender. Hackers are clever in their spear phishing emails, fake ads, or social campaigns. They learn things about your role or you as an individual, and use that as a way to gain your trust and pull off their scheme. Small businesses are also at risk of spear phishing attacks. Common targets include small business owners or managers who have access to company bank accounts or W-2 information. These small companies may not have any cybersecurity measures in place which makes them easy targets for hackers looking for sensitive information without raising suspicion. Phishing attacks have moved from targeting individuals to going after organizations. While large companies with resources are a lucrative target, 1 in 4 data breaches in the US in 2020 involved a small company. Every organization, no matter the size, is at risk.
New domains are the biggest threats when it comes to phishing attacks. These attacks are often assembled quickly from kits, meaning it’s easy for hackers to get new sites up as their old ones are taken down. Old methods, like a list of threat feeds, isn't enough to combat phishing.
With DNS Security, phishing attacks can be prevented by filtering out malicious websites that have never even been seen before.
Every new link you encounter in the course of the day has the possibility of being a phishing website or other malicious site—especially sites that have only been registered in the last 30 days. You can protect your company and your employees by implementing PDNS and blocking new and uncategorized domains, in addition to known phishing sites.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep your entire organization safe.
Traditional ransomware is a type of malware that renders a device (or files and applications on that device) unusable unless the owner pays a ransom to hackers. The device owners are then in the difficult position of either choosing to pay the ransom in exchange for a decryption key (without a clear guarantee they will receive the decryption key) or revert systems to backups and avoid paying the ransom altogether.
However in some cases, backups may be impacted or companies may not have robust enough backups to restore all of their systems.
Getting fully back online after a ransomware attack can take days or even months. In the midst of a ransomware attack, as the organization decides between paying the ransom or rebuilding their systems, many companies need to rely on paper files. Hospitals and government agencies are particularly vulnerable to ransomware attacks, impacting critical systems that may directly result in fatalities.
One major way ransomware is spread is through malicious URLs. These URLs can be shared in emails, SMS text messages, on chat forums like Discord or Slack—even in advertising campaigns on reputable websites.
These websites can host drive-by-downloads where just visiting a site force-downloads malicious software onto your computer that will initiate a ransomware attack.
Phishing campaigns and social engineering are also responsible for spreading ransomware. Fake social media accounts or too-good-to-be-true deals will often point users to malicious URLs, forcing malware downloads. Phishing emails are responsible for 54% of ransomware infections.
Another way ransomware can spread is through malicious attachments, which sometimes will trigger a DNS request.
It’s important that every organization be prepared for a ransomware attack. Robust backups, application layer encryption, training, anti-virus, password managers, and multi-factor authentication will all aid you in the fight against ransomware. But one of the best ways to combat a ransomware attack is to block threats at the DNS layer.
DNS security not only blocks domains hosting ransomware, but will also stop “callbacks” from malware to host servers. This disables the ability for ransomware to be deployed and take over your computer in the event a ransomware package is deployed on your computer.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep you and your employees safe.
Most DNS security setups that validate DNS records (DNS Security Extensions, DNSSEC), or encrypt DNS traffic for protection against malicious eavesdropping (DNS-over-TLS/ DoT or DNS-over-HTTPS/DoH) do not address the trustworthiness of upstream DNS infrastructure that may be compromised or maliciously provisioned. PDNS addresses these concerns by using an external DNS resolver that implements standard protective DNS policies. One of the main functions of the resolver is to examine the domain name queries and the returned IP addresses against threat intelligence. This way, the resolver can help prevent connections to known and suspected malicious domains. Protective DNS (PDNS) operates as a service and is not itself a DNS protocol.
DNS is at the heart of internet operations, but it is not built with security out of the box. Because of this, malicious actors find it attractive to design attacks around the protocol.
These attacks can lead to data exfiltration from compromised hosts, installation of malicious software, the spread of network worms, and ransomware.
Cybersecurity teams, in looking to strengthen the safety of company networks, leverage PDNS to secure an ever-expanding collection of devices, access points, and users. Proper DNS protection offers a zero-trust security solution for any end-user accessing the internet on your network. These services create a secure environment requiring no action or training on your end.
Following the joint statement, the NSA and CISA also released a report listing the guidelines for selecting a Protective DNS provider. These criteria, though not exhaustive, are considered to be the most important attributes to look out for when choosing a Protective DNS provider. The list below shows how DNSFilter satisfies the requirements stated in the report:
-Blocks Malware Domains
-Blocks Phishing Domains
-Malware Domain Generation Algorithm (DGA) Protection
-Leverages machine learning or other heuristics to augment threat feeds
-Content filtering
-Supports API access for SIEM integration or custom analytics
-Web Interface dashboard
-Validates DNSSEC
-DoH/DoT capable
Threat actors use typosquatting because they're relying on internet users to make mistakes. You'll mistype a domain name and find yourself on a site that looks like the one you wanted to land on anyway. If you looked closely at the URL you entered, you'd likely realize the mistake. But the goal here is to look identical to the original site it is mimicking. Typosquatting domains are traditionally used in phishing attacks. Amazon, Microsoft, and banking sites are popular victims of typosquatted phishing domains because they can direct users to login pages they're familiar with and steal their valuable credentials. Other uses for typosquatting include spreading malware. By using a familiar domain name (often swapping the TLD .com for .info or .top), they can bypass advertiser restrictions and trick end users. These ads often lead to malware, also known as malvertising. Typosquatting domains may also be used to sell knockoff brands (like Addidas). The possibilities for these copy cat domains are nearly endless, and hackers are using the ability to capitalize on typos to their advantage.
Phishing is one of the most common tactics used by hackers to gain access to data. And typosquatting plays an important role in phishing. Large organizations are often targeted with spear phishing campaigns that are personalized for the company’s security team. Threat actors will register domains similar to technology used by those companies, or similar in name to the company itself. Depending on the attack, it might come from m1cr0soft[dot]com (similar to a vendor you might use) or company-name-here[dot]info (a copy cat version of your own domain name). Phishing attacks have moved from targeting individuals to going after organizations. That's part of why typosquatting has become important to phishers: They're targeting professionals with some cybersecurity awareness. They need to do everything they can to go undetected. While large companies with resources are a lucrative target, 1 in 4 data breaches in the US in 2020 involved a small company. Every organization, no matter the size, is at risk.
New domains are the biggest threats when it comes to phishing and typosquatting attacks.
With DNS Security, typosquatting domains can be blocked by filtering out malicious websites that have never even been senen before.
Every new link you encounter in the course of the day has the possibility of being a phishing website or other malicious site—especially sites that have only been registered in the last 30 days. You can protect your company and your employees by implementing PDNS and blocking new and uncategorized domains, in addition to known phishing sites.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep your entire organization safe.
A zero-day threat is an attack that has not been seen before and does not match any known malware signatures. It is referred to as a "zero-day" threat because once the flaw is eventually discovered, the developer or organization has "zero days" to then come up with a solution.
By securing your DNS traffic which uses machine learning to perform deep inspection of DNS traffic, achieving greater threat coverage.
Our Sync Tool enables you to scale up to 500,000 Active Directory users. As your team grows, we have the scale to support you. DNSFilter also provides detailed information on sync logs, including any errors that may have occurred during a sync. We also give you more than one viewing mode and a free text search in the logs.
Apply policies at the group and user level. More versatility means more ways to implement a policy. There are seven different layers in our policy hierarchy. If you have an employee who needs to be exempt from their department filtering policy, you can create a custom policy just for them. Or, you can keep it simple and apply the policies at the group level—your deployment will fit your use case.
After a five-minute setup, your Active Directory will be synced with DNSFilter. Any changes you make to your on-premise or cloud AD will be reflected in your DNSFilter dashboard—this includes syncing of dynamic groups. So if someone moves from the IT department to the sales department, you won’t need to manually change their policy or push any changes—everything will be reflected in your instance.
You want to see your Active Directory instance reflected in DNSFilter, but do you want to be completely tied to it? Choose between the manual or managed options for policy enforcement depending on your preference. Do you want total control, or do you want to rely heavily on Active Directory? You’ll have complete flexibility.
Reclaim your valuable time and let computers do the repetitive tasks. Zapier allows for connectivity between thousands of applications you use every day, including DNSFilter.
Get notified when an organization or site is added or deleted from your account. Trigger an action or receive a notification whenever a roaming client or relay is added or removed from your account. Set up alerts that let you know whenever one of your users hits a page block. And automatically trigger workflows for when they request access to content currently blocked by your DNSFilter policy. Make sure your account is secure. Get alerts whenever any of your users disable multi-factor authentication.
Integrate with thousands of applications such as:
-Slack
-Office 365 (O365)
-Gmail
-Jira
-ConnectWise
-Zendesk
-Xero
-Salesforce
-and More!
When a customer signs up for Cisco Umbrella, they face a slew of challenges. The first, and the one we hear repeatedly from our customers and prospects, is the total lack of support for the product. When you have an issue with Cisco Umbrella, it can be nearly impossible to get a hold of someone. This leads to impacted Cisco customers without any DNS security for large chunks of time. The Cisco UI/UX is not intuitive and takes a more technical individual to implement the setup. This means you might need senior technical resources to take on a deployment they don’t have time for, as opposed to passing it over to a more junior engineer. Not to mention, within the Cisco Umbrella UI it is difficult to find things and some things are in multiple places, making it even harder to maintain a sense of where things are and where you can update them. Other common Cisco challenges customers endure are long contracts that lock you in, no investment or innovation on the product (the UI has not evolved very much since its OpenDNS days), and a slower anycast network.
Cisco Umbrella (previously OpenDNS) is a cloud-based DNS security solution, similar to DNSFilter. Umbrella provides basic needs to manage web filtering, includes rudimentary firewall style features like SSL decryption, and has integrations with high value platforms platforms like Connectwise PSA and S3 for log export. However, Cisco Umbrella is not as effective at blocking threats as DNSFilter, is harder to deploy, and has not continued to optimize the product over time.
Cisco Umbrella began as OpenDNS in 2008 as the first cloud-based protective DNS service. OpenDNS was purchased by Cisco in 2014. The name OpenDNS is now used for free filtering for home and families. It has different settings to block threats and/or adult categories compared to its Cisco Umbrella counterpart. To complicate the matter, OpenDNS does have a Home VIP and Umbrella Prosumer paid plan that offers more control over the settings—however this plan is mostly made up of older OpenDNS customers who have been grandfathered in.
Pricing is largely unknown with Cisco Umbrella because there is no public pricing available and all deals require communication with the sales team. Some reports have shown ~ $2.20 per user with a 100 user minimum, but that is mostly speculation. DNSFilter's pricing is $1 per user, with a minimum spend of $20 per month. Discounts are available for MSPs and Education. All pricing is clear on the public website.
The biggest difference between DNSFilter and Cisco Umbrella is the efficacy of DNSFilter's domain classification, which relies on our AI Webshrinker. Further, DNSFilter has an approachable company culture, and customers are involved in our decision making process of which features to implement. We have a transparent pricing model displayed on our public website and our support team is incredibly responsive compared to Cisco's. DNSFilter also offers more whitelabeling options for MSPs.
Creating a universal block list enables you to save time by creating blanketed protection outside of more-granular policies. It’s a definitive way to know that a harmful or inappropriate site will not be accessed across your organization.
Situations where domains fall into a gray area based on certain policies may sometimes be blocked accidentally, creating a hindrance to the business. Configuring an allow list ensures domains necessary for business to continue and run smoothly can be accessed.
Stop zero-day threats, including new strains of malware, with DNSFilter’s advanced AI-driven domain categorization. Our DNS protection can keep your employees safe and mitigate the risk of someone within your organization falling for a malicious campaign.
Currently we recommend non-profits utilize our Pro plan. This provides great protection at an affordable price. We do offer cost-breaks for larger organizations. Contact sales@dnsfilter.com to learn more.
Yes, DNSFilter provides the easiest CIPA compliance on the market. With just one click, you can block all content necessary to become CIPA compliant and become eligible for e-rate funding. Learn more here: https://fltr.ai/4H-f
Yes! With DNSFilter, you will be able to implement DNS security anywhere in the world—particularly when you use our Roaming Clients deployment. We provide three different methods of implementation based on your needs, meaning you can get DNS protection at all of your locations and when you leave the office.
Yes. Our team can walk you through network deployment. Contact us at sales@dnsfilter.com to set up an initial discovery call.
Yes. We have a detailed integration guide for this use case. Contact us at sales@dnsfilter.com to set up an initial discovery call.
Yes, each partner commits to spend a minimum of $50 each month on user licenses.
Partners receive a discount based on volume. Detailed pricing will be sent to you after trial signup.
Start with a free trial. Select MSP/ISP as your industry during your free trail signup. A link to the partner program application is available under the main navigation in the dashboard if you select MSP as your industry during signup. Use this link directly for any industry (https://app.dnsfilter.com/settings/billing-info/partner-program). Complete the form and after our review of your application and approval into the program, you can access the multi-tenant/MSP dashboard. Feel free to test policies and deployments in the single organization account created on signup but note that transferring policies, sites, and roaming clients to other sub organizations after partner activation is not possible A sub organization matching the name of the MSP account is available for internal use and/or testing
DNSFilter is AI-based threat protection that stops threats at the DNS level. N-able partnered with DNSFilter because of our robust threat protection against phishing, ransomware, and zero-day attacks. DNSFilter is the fastest DNS resolver in North America and identifies threats as early as 7 days ahead of other threat feeds.
N-able customers can now access DNS threat protection within their RMM tool. Talk to your N-able rep about adding DNSFilter to your current RMM or N-central product suite: dnsfilter_sales@solarwinds.com
For access to our REST API, you need to have a professional subscription to DNSFilter, which is a $50 monthly minimum.
Yes, we do.
Yes. DNSFilter has a multi-tenant whitelabel option. Please contact us directly so we can talk through your whitelabeling use case.
OIDC compatible single sign on, on-prem Active Directory, Azure Active Directory, SIEMs (via Splunk style HEC API), Amazon S3 data export, and Zapier.
483 million total domains are categorized. We scan 3 million domains and process 1 trillion DNS requests daily.
IAB categories are far more detailed. There are 26 major categories and 366 total sub-categories. IAB categories are most useful for detailed information about the purpose of a particular domain. They are often used by AdTech companies who need detailed IAB information on each site. Additional information is also returned via API request for IAB categories. In addition to the category and sub category you will receive a confidence score. Our categories represent the most common categories of sites. They are useful for creating content filters or parental controls and blocking major threats when a high level of site granularity is not required for reporting.
Domain classification confidence scores range from 0.0 (not confident) to 1.0 (very confident/manually classified). We consider anything above .006 to be “fairly confident.” Confidence scores are only returned for those who select to receive IAB categories.
Updates to your policy are reflected on device in seconds. Browser and operating system caching can prolong a policy update so take measures to conform to your security needs.
If you want to truly block Discord to increase end user productivity (and not to mention increase security by blocking a site that is known for being a magnet for phishing attacks), this means you need to stay on top of any new domains that Discord starts using. The number might start small, only six, but as these companies grow they continue to add more domains. We’ve seen applications with thousands associated domains. If you wanted to block Microsoft domains, Bing alone has over 50,000 associated domains—and that’s not even taking into account all of Microsoft’s other applications you might want to manage and block. AppAware gives you the power to block what you need to without adding to your workload.
Some might view VPNs as harmless tools used for remote office file access, but they’re also heavily used to bypass content filtering. Over half a million queries to VPN-related domains occur on our network daily, with only 10% of these attempts blocked. However, of the blocked access attempts, 85%are because a security filter was enabled. When your users bypass the DNS security you have in place, you increase the likelihood that a threat will take hold of that device and possibly extend to the rest of your organization. Now you can choose from seven VPN and proxy applications to block once and for all.
Peer-to-peer filesharing sites like the Pirate Bay, BitTorrent, and uTorrent are notorious for infecting computers with malware. Because the user on the other end providing you with content is external to your network, they should not be inherently trusted. This goes for professional applications such as Dropbox as well. What is hosted on these sites and shared isn’t always inspected and deemed secure—leaving your network open to compromise.
Appaware is a next-generation application-blocking tool that enables organizations to seamlessly block common security threats. AppAware allows users to have real-time visibility of application activity on their network, as well as taking immediate and proactive actions to block apps which do not align with their internal policies. AppAware is available to all Enterprise, Pro+, and MSP customers.
With AppAware, organizations can block over 100 high-risk applications—including filesharing, remote desktop and high-risk messaging apps—with a single click and instantly gain insights into the usage of every application across the network.
Content filtering is the act of blocking unwanted web content and allowing “appropriate” or “favorable” content to be visitable. Content filtering can be enabled via software or hardware. The sorting of content into “good” and “bad” is made possible through website categorization. Without the ability to categorize a website, content filtering is not possible.
Unlike URL filtering, DNS filtering blocks domains. But more than that, it actually prevents domains from resolving. This is because when a DNS request is sent and the IP address is received by the DNS resolver, it doesn’t even send that information back to the end user. While content filtering at the DNS level means all pages on a website are blocked, it is much more secure for the end user.
Content filtering isn’t just about blocking disturbing, pornographic, or gambling sites. It’s also about blocking sites that are deemed a cybersecurity threat.
Our Data export feature allows users to export query log data to be utilized by a Security Information and Event Management (SIEM) or other tool of their choice. Exporting DNSFilter data allows an organization to aggregate relevant data from multiple sources and then take action.
DNSFilter's Data Export supports Amazon S3 buckets and also Splunk. Many SIEMs are able to pull data from an S3 bucket enabling many tools to access the exported data from DNSFilter.
At DNSFilter we use our proprietary AI tool, Webshrinker, to continuously scan more than 180,000,000 websites and determine their purpose and content type. We flag sites that potentially contain malware, ransomware, malvertising, or scams, and then allow our customers to block them. This creates a first-line-of-defense by between a click from a user, and serving the harmful page. Additionally, we allow for one-click blocking of domains less than 30 days old.
DNS filtering gives you the ability to filter bad or unwanted content at the DNS level. DNS filtering works by categorizing every single domain you attempt to access and cross-referencing those categorizations and domain names with policies you've determined you want to block.
DNS filtering is defensive software that prevents cybersecurity threats by following simple logic: if a website has something potentially dangerous within it, DNS filtering blocks a user from visiting it in the first place. It’s a zero-trust solution that leaves nothing to chance.
Given its versatility, DNS filtering offers users advanced customization features. Depending upon the needs of your organization, you can choose which types of content are permissible and which to block, specific to your company’s needs. In addition, by enabling DNS-based web filtering, you safeguard your users against malicious content. Let’s take a look at the four main benefits of filtering DNS.
The Domain Name System Security Extensions is a security system that helps verify the origin and integrity of data moving back and forth in a DNS resolution process. Similar to how TLS/SSL works, DNSSEC uses a public/private key pair to cryptographically verify and authenticate DNS data.
With DNSSEC, every DNS request is signed and verified to protect you from exploitation, protecting your brand. DNSSEC verifies the authenticity of the parties involved in a DNS request, prevents DNS cache poisoning and makes DNS data tamper-proof.
Unfortunately, a good DNS poisoning attack will go completely unnoticed to the end user. There will be no visible differences between a real Twitter login page and the spoofed one. This allows the attacker to take advantage of the user’s ignorance to steal sensitive information. Having DNSSEC implemented (and implemented properly) will help prevent these attacks
Simplified UI consolidates multiple reports in a single view. Perform comparison of historical activity across all roaming computers and network sites. Easily see your entire DNS footprint (how many roaming clients and networks are deployed). Drill down to explore the DNS traffic from specific users and computers.
Agent counts, Server’s geolocation, User reports, Roaming client reports and Domain reports
Insights reporting is the simplest way for customers to analyze their DNS query data. Insights reporting provides you with as much detail as you need to uncover anomalies and learn more about your individual network.
A Roaming Client is a tiny piece of software that is installed on a device, where it always runs in the background. It’s primary job is to do two things 1) Ensure all device DNS requests go to DNSFilter where they can be protected and filtered and 2) Embeds the device identity in the DNS requests
In short, any device! Roaming clients can be installed on Windows, Mac, Chrome, iOS or Android devices. Due to Apple policies, iOS devices must be in “Supervised Mode” which means they won’t work with “Bring your own device” setups.
Customers primarily use Roaming Clients to ensure that devices are protected and filtered when they leave your secure network, enforce device level policies (like different policies for IT managers or executives) and to get device level reporting (since the device ID is embedded in the DNS request)
Single Sign-On is an authentication protocol that allows users to sign into different software systems using a single identity. This identity is provided by third-party identity providers like Okta, OneLogin, or Azure AD.
The application you’re trying to authenticate with sets up a trust relationship with the identity provider that already has your authentication credentials. A certificate shared by the identity platform and the software you’re trying to access is used to sign identity information being shared by the two systems.
Active Directory and single sign-on (SSO) are different. Active directory is an on-prem directory service or cloud-based using Azure AD. SSO a cloud-based, web app identity extension point solution. SSO is an identification/authentication service while Active Directory is a full-fledged users and resources management technology
We support a lot of SSO providers, ensuring that setting up SSO on your own is easy and straightforward.
Account owners can simply enter their OAuth 2.0 credentials from an IdP in the SINGLE SIGN-ON section of the SETTINGS page of their DNSFilter account. Once the values have been entered correctly, SSO can be turned on.
Cryptojacking is a malicious form of mining cryptocurrency, sometimes referred to as simply cryptomining malware. Victims of cryptojacking experience the unauthorized takeover of their computer or network so the hackers can “mine” cryptocurrency. Compared to other malicious domain techniques leveraged by threat actors, cryptojacking is relatively new.
While traditional cryptocurrency miners will use their own resources to “mine” for new cryptocurrency, cryptojackers will actually infect a distributed network of computers with malware to utilize another’s computational bandwidth. This slows down the device and, at scale, drives up energy costs.
The targets of cryptojacking attacks can be individuals, or whole organizations where hackers infiltrate and enlist masses of computational resources for their own mining operations. It’s a way for threat actors to increase the size of their cryptowallets without having to pay the energy or resource costs with their own equipment.
In our 2021 Domain Threat Report, we took a close look at cryptocurrency and cryptojacking domains and found high volumes of copycat phishing domains for Bitcoin and cryptojacking domains heavily using the terms Ethereum, Dogecoin, and Litecoin. Many of these cryptojacking sites actually used a variation of the term “mining” in the name of the domain—nearly 19% of all cryptojacking sites identified on our network during the pandemic.
DNSFilter has a robust catalog of known cryptojacking sites, and domains that contain cryptocurrency references can be blocked in a single click.
We also provide our users the ability to block new domains and malware for a blanketed approach to mitigating all malicious cryptomining activity that could be activated at your organization at the DNS layer.
Cryptocurrency made a comeback in 2020, and that had a ripple effect. It wasn’t just investments that were impacted—security was majorly impacted because threat actors saw a new window for compromise.
Ransomware payments are made with cryptocurrency, as they are on the blockchain anonymously and cannot be traced. Because cryptocurrency marketplaces are popular right now, with many investors buying multiple coins, threat actors have chosen to create typosquatting and phishing domains for different cryptocurrencies.
And finally, malicious cryptomining is on the rise as cryptocurrency miners seek to make money, without investing directly in the currencies and without using their own resources.
Cryptojacking will continue to grow, as will other cryptocurrency-related threats.
DNS poisoning. DNS cache poisoning. DNS spoofing. Many names for the same thing: A way for threat actors to insert false DNS records to route traffic intended for a legitimate domain to a fake one. It's called “poisoning” because the false entry (the poison) is injected into the system at a single point and can spread throughout the system, affecting other points. This results in the end user attempting to access a usually safe site, like twitter.com, and getting redirected to the spoofed version. Often, you're taken to a login page where you're asked to submit credentials. In this scenario, you're giving away your Twitter account to the attacker. Once the attacker harvests your login credentials, they redirect you to the original Twitter website to continue your session.
Unfortunately, a good DNS poisoning attack will go completely unnoticed to the end user. There will be no visible differences between a real Twitter login page and the spoofed one. This allows the attacker to take advantage of the user’s ignorance to steal sensitive information. Another way a DNS poisoning attack can appear to an end user is when the domain refuses to load. This is done by attackers to frustrate the users of a service or cause harm to the business of that service. The attacker can substitute the IP address of the original domain with one that is not publicly accessible or simply spoof a “Not Found” page. Governments like China have also been known to spoof domains on their global block lists. In most of these cases, the end-user will likely never know they were the victim of DNS cache poisoning.
There are multiple actions you can take to prevent DNS poisoning. - Implement DNSSEC: DNSFilter fully supports DNSSEC, but proper configuration is key.
- Disable Dynamic DNS: While not everyone is able to disable Dynamic DNS because of their ISP, disabling it or never implementing it is another way to mitigate DNS poisoning.
- Encrypt DNS data: We support both DNS-over-HTTPS and DNS-over-TLS. And of course, you should run regular system updates to ensure you have no newly detected vulnerabilities.
DNS tunneling is a strategy used by black hats to create a covert channel into a victim’s computer or organization’s network. The channel created provides a means of encapsulating a malicious payload within DNS queries to take advantage of the relatively unrestricted flow of DNS traffic—especially in scenarios where almost all other traffic is restricted. DNS tunneling can be detected by performing DNS query analysis or traffic analysis, for example, analyzing the frequency of DNS traffic against a normal traffic benchmark within the network. When anomalies in query count and frequency are detected, a DNS tunneling attack is most likely in effect.
The covert channel created by a DNS tunnel is similar to a criminal breaking into a house: The potential damage they can cause is only limited by their imagination. A common use of DNS tunneling is data exfiltration, a process in which attackers steal information from the victim’s computer. Another use of DNS tunneling is to establish remote access to a victim’s computer or network allowing the attacker to execute malicious commands or install malware. DNS tunneling can also be used in releasing a worm into an organization’s network. This worm can be used to introduce ransomware or to shut down an organization’s business activities.
Having a DNS security platform to filter your DNS requests is one battle-tested solution that can help prevent DNS tunneling attacks. Because DNS tunneling uses DNS queries to establish a malicious connection with the attacker’s computer, monitoring, detecting, and blocking malicious queries proves to be very effective in combating these types of attacks. DNSFilter uses the following strategies to detect and block DNS tunneling attacks:
-Detect phishing attacks that can lead to the installation of malware
-Each time a DNS server receives a DNS request, it is compared against a block list of known malicious domains
-Detection of Domain Generation Algorithms (DGAs) used by attackers to generate random domains for attacks
-Detect unusual DNS traffic patterns
And of course, you should run regular system updates to ensure you have no newly detected vulnerabilities.
“Malware” is short for “malicious software” meant to harm or exploit a service, network, or device usually for financial gain. These malicious attacks can be used to exfiltrate data that can then be sold on the darkweb, to hold the data ransom (as in ransomware attacks), or in the outright destruction of valuable data.
Ransomware, malvertising, worms, spyware, viruses, trojans—malware is a broad term that includes all of these threat types and more.
Because of the wide range of possible malware attacks, downtime and costs can vary dramatically. However, the average cost of a malware attack on a company is $2.6 million according to Accenture.
Malware can spread through a variety of avenues. One of the most effective ways of deploying malware is to host it as a forced-download on a website domain and promote it through a phishing or social engineering attack. Standing up malicious URLs is an incredibly easy and effective way to spread malware. The threat actors usually take advantage of existing sites and hack them to host their malware.
Once someone unknowingly downloads any type of malware, it will usually “callback” to a host server for further instructions. It does this via DNS, and these “callback” signals can be blocked if DNS security is in place. The instructions the malware receives will depend on what type of malware it is: Ransomware, spyware, adware, virus, etc.
Sometimes the malware will act immediately to make itself known, while other times it might stay on your device or network and quietly gather data for a long period of time.
All organizations need to be prepared for a malware attack. Robust backups, application layer encryption, training, anti-virus, password managers, and multi-factor authentication will all aid you in the fight against malware. But one of the best ways to combat a malware attack is to block threats at the DNS layer.
DNS security not only blocks domains hosting malware, but will also stop “callbacks” from malware to host servers. This disables the ability for malicious software to be deployed and take over your computer in the event a malware package is deployed on your computer.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep you and your employees safe.
No one is safe from a phishing attack. Phishing is a type of social engineering attack where someone tries to trick the user into revealing information. This is most often done via malicious websites and emails. Email phishing happens when an email from a sender appears to come from someone you know, but it's actually from a malicious actor. It could be an email from your bank, for example, but what you don't know is that the email actually came from a fake email account and not your bank. The goal of the phisher is to trick you into giving up your login credentials—or any other sensitive information—by clicking on links or downloading attachments that contain malware. Phishers who send out spear phishing emails go a step further and target specific individuals or businesses instead of sending out mass emails indiscriminately. The goal is usually to steal data from those individuals or businesses. The hackers might trick someone into wiring money to them, or they might create a fake form to capture credit card or banking info. The possibilities are endless, but the main goal in all of this is deception.
Phishing is one of the most common tactics used by hackers to gain access to data. Large organizations are often targeted with spear phishing campaigns that are personalized for the company’s security team.
Spear phishing campaigns are harder to detect because they require more time, effort, and resources on behalf of the sender. Hackers are clever in their spear phishing emails, fake ads, or social campaigns. They learn things about your role or you as an individual, and use that as a way to gain your trust and pull off their scheme. Small businesses are also at risk of spear phishing attacks. Common targets include small business owners or managers who have access to company bank accounts or W-2 information. These small companies may not have any cybersecurity measures in place which makes them easy targets for hackers looking for sensitive information without raising suspicion. Phishing attacks have moved from targeting individuals to going after organizations. While large companies with resources are a lucrative target, 1 in 4 data breaches in the US in 2020 involved a small company. Every organization, no matter the size, is at risk.
New domains are the biggest threats when it comes to phishing attacks. These attacks are often assembled quickly from kits, meaning it’s easy for hackers to get new sites up as their old ones are taken down. Old methods, like a list of threat feeds, isn't enough to combat phishing.
With DNS Security, phishing attacks can be prevented by filtering out malicious websites that have never even been seen before.
Every new link you encounter in the course of the day has the possibility of being a phishing website or other malicious site—especially sites that have only been registered in the last 30 days. You can protect your company and your employees by implementing PDNS and blocking new and uncategorized domains, in addition to known phishing sites.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep your entire organization safe.
Traditional ransomware is a type of malware that renders a device (or files and applications on that device) unusable unless the owner pays a ransom to hackers. The device owners are then in the difficult position of either choosing to pay the ransom in exchange for a decryption key (without a clear guarantee they will receive the decryption key) or revert systems to backups and avoid paying the ransom altogether.
However in some cases, backups may be impacted or companies may not have robust enough backups to restore all of their systems.
Getting fully back online after a ransomware attack can take days or even months. In the midst of a ransomware attack, as the organization decides between paying the ransom or rebuilding their systems, many companies need to rely on paper files. Hospitals and government agencies are particularly vulnerable to ransomware attacks, impacting critical systems that may directly result in fatalities.
One major way ransomware is spread is through malicious URLs. These URLs can be shared in emails, SMS text messages, on chat forums like Discord or Slack—even in advertising campaigns on reputable websites.
These websites can host drive-by-downloads where just visiting a site force-downloads malicious software onto your computer that will initiate a ransomware attack.
Phishing campaigns and social engineering are also responsible for spreading ransomware. Fake social media accounts or too-good-to-be-true deals will often point users to malicious URLs, forcing malware downloads. Phishing emails are responsible for 54% of ransomware infections.
Another way ransomware can spread is through malicious attachments, which sometimes will trigger a DNS request.
It’s important that every organization be prepared for a ransomware attack. Robust backups, application layer encryption, training, anti-virus, password managers, and multi-factor authentication will all aid you in the fight against ransomware. But one of the best ways to combat a ransomware attack is to block threats at the DNS layer.
DNS security not only blocks domains hosting ransomware, but will also stop “callbacks” from malware to host servers. This disables the ability for ransomware to be deployed and take over your computer in the event a ransomware package is deployed on your computer.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep you and your employees safe.
Most DNS security setups that validate DNS records (DNS Security Extensions, DNSSEC), or encrypt DNS traffic for protection against malicious eavesdropping (DNS-over-TLS/ DoT or DNS-over-HTTPS/DoH) do not address the trustworthiness of upstream DNS infrastructure that may be compromised or maliciously provisioned. PDNS addresses these concerns by using an external DNS resolver that implements standard protective DNS policies. One of the main functions of the resolver is to examine the domain name queries and the returned IP addresses against threat intelligence. This way, the resolver can help prevent connections to known and suspected malicious domains. Protective DNS (PDNS) operates as a service and is not itself a DNS protocol.
DNS is at the heart of internet operations, but it is not built with security out of the box. Because of this, malicious actors find it attractive to design attacks around the protocol.
These attacks can lead to data exfiltration from compromised hosts, installation of malicious software, the spread of network worms, and ransomware.
Cybersecurity teams, in looking to strengthen the safety of company networks, leverage PDNS to secure an ever-expanding collection of devices, access points, and users. Proper DNS protection offers a zero-trust security solution for any end-user accessing the internet on your network. These services create a secure environment requiring no action or training on your end.
Following the joint statement, the NSA and CISA also released a report listing the guidelines for selecting a Protective DNS provider. These criteria, though not exhaustive, are considered to be the most important attributes to look out for when choosing a Protective DNS provider. The list below shows how DNSFilter satisfies the requirements stated in the report:
-Blocks Malware Domains
-Blocks Phishing Domains
-Malware Domain Generation Algorithm (DGA) Protection
-Leverages machine learning or other heuristics to augment threat feeds
-Content filtering
-Supports API access for SIEM integration or custom analytics
-Web Interface dashboard
-Validates DNSSEC
-DoH/DoT capable
Threat actors use typosquatting because they're relying on internet users to make mistakes. You'll mistype a domain name and find yourself on a site that looks like the one you wanted to land on anyway. If you looked closely at the URL you entered, you'd likely realize the mistake. But the goal here is to look identical to the original site it is mimicking. Typosquatting domains are traditionally used in phishing attacks. Amazon, Microsoft, and banking sites are popular victims of typosquatted phishing domains because they can direct users to login pages they're familiar with and steal their valuable credentials. Other uses for typosquatting include spreading malware. By using a familiar domain name (often swapping the TLD .com for .info or .top), they can bypass advertiser restrictions and trick end users. These ads often lead to malware, also known as malvertising. Typosquatting domains may also be used to sell knockoff brands (like Addidas). The possibilities for these copy cat domains are nearly endless, and hackers are using the ability to capitalize on typos to their advantage.
Phishing is one of the most common tactics used by hackers to gain access to data. And typosquatting plays an important role in phishing. Large organizations are often targeted with spear phishing campaigns that are personalized for the company’s security team. Threat actors will register domains similar to technology used by those companies, or similar in name to the company itself. Depending on the attack, it might come from m1cr0soft[dot]com (similar to a vendor you might use) or company-name-here[dot]info (a copy cat version of your own domain name). Phishing attacks have moved from targeting individuals to going after organizations. That's part of why typosquatting has become important to phishers: They're targeting professionals with some cybersecurity awareness. They need to do everything they can to go undetected. While large companies with resources are a lucrative target, 1 in 4 data breaches in the US in 2020 involved a small company. Every organization, no matter the size, is at risk.
New domains are the biggest threats when it comes to phishing and typosquatting attacks.
With DNS Security, typosquatting domains can be blocked by filtering out malicious websites that have never even been senen before.
Every new link you encounter in the course of the day has the possibility of being a phishing website or other malicious site—especially sites that have only been registered in the last 30 days. You can protect your company and your employees by implementing PDNS and blocking new and uncategorized domains, in addition to known phishing sites.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep your entire organization safe.
A zero-day threat is an attack that has not been seen before and does not match any known malware signatures. It is referred to as a "zero-day" threat because once the flaw is eventually discovered, the developer or organization has "zero days" to then come up with a solution.
By securing your DNS traffic which uses machine learning to perform deep inspection of DNS traffic, achieving greater threat coverage.
Our Sync Tool enables you to scale up to 500,000 Active Directory users. As your team grows, we have the scale to support you. DNSFilter also provides detailed information on sync logs, including any errors that may have occurred during a sync. We also give you more than one viewing mode and a free text search in the logs.
Apply policies at the group and user level. More versatility means more ways to implement a policy. There are seven different layers in our policy hierarchy. If you have an employee who needs to be exempt from their department filtering policy, you can create a custom policy just for them. Or, you can keep it simple and apply the policies at the group level—your deployment will fit your use case.
After a five-minute setup, your Active Directory will be synced with DNSFilter. Any changes you make to your on-premise or cloud AD will be reflected in your DNSFilter dashboard—this includes syncing of dynamic groups. So if someone moves from the IT department to the sales department, you won’t need to manually change their policy or push any changes—everything will be reflected in your instance.
You want to see your Active Directory instance reflected in DNSFilter, but do you want to be completely tied to it? Choose between the manual or managed options for policy enforcement depending on your preference. Do you want total control, or do you want to rely heavily on Active Directory? You’ll have complete flexibility.
Reclaim your valuable time and let computers do the repetitive tasks. Zapier allows for connectivity between thousands of applications you use every day, including DNSFilter.
Get notified when an organization or site is added or deleted from your account. Trigger an action or receive a notification whenever a roaming client or relay is added or removed from your account. Set up alerts that let you know whenever one of your users hits a page block. And automatically trigger workflows for when they request access to content currently blocked by your DNSFilter policy. Make sure your account is secure. Get alerts whenever any of your users disable multi-factor authentication.
Integrate with thousands of applications such as:
-Slack
-Office 365 (O365)
-Gmail
-Jira
-ConnectWise
-Zendesk
-Xero
-Salesforce
-and More!
When a customer signs up for Cisco Umbrella, they face a slew of challenges. The first, and the one we hear repeatedly from our customers and prospects, is the total lack of support for the product. When you have an issue with Cisco Umbrella, it can be nearly impossible to get a hold of someone. This leads to impacted Cisco customers without any DNS security for large chunks of time. The Cisco UI/UX is not intuitive and takes a more technical individual to implement the setup. This means you might need senior technical resources to take on a deployment they don’t have time for, as opposed to passing it over to a more junior engineer. Not to mention, within the Cisco Umbrella UI it is difficult to find things and some things are in multiple places, making it even harder to maintain a sense of where things are and where you can update them. Other common Cisco challenges customers endure are long contracts that lock you in, no investment or innovation on the product (the UI has not evolved very much since its OpenDNS days), and a slower anycast network.
Cisco Umbrella (previously OpenDNS) is a cloud-based DNS security solution, similar to DNSFilter. Umbrella provides basic needs to manage web filtering, includes rudimentary firewall style features like SSL decryption, and has integrations with high value platforms platforms like Connectwise PSA and S3 for log export. However, Cisco Umbrella is not as effective at blocking threats as DNSFilter, is harder to deploy, and has not continued to optimize the product over time.
Cisco Umbrella began as OpenDNS in 2008 as the first cloud-based protective DNS service. OpenDNS was purchased by Cisco in 2014. The name OpenDNS is now used for free filtering for home and families. It has different settings to block threats and/or adult categories compared to its Cisco Umbrella counterpart. To complicate the matter, OpenDNS does have a Home VIP and Umbrella Prosumer paid plan that offers more control over the settings—however this plan is mostly made up of older OpenDNS customers who have been grandfathered in.
Pricing is largely unknown with Cisco Umbrella because there is no public pricing available and all deals require communication with the sales team. Some reports have shown ~ $2.20 per user with a 100 user minimum, but that is mostly speculation. DNSFilter's pricing is $1 per user, with a minimum spend of $20 per month. Discounts are available for MSPs and Education. All pricing is clear on the public website.
The biggest difference between DNSFilter and Cisco Umbrella is the efficacy of DNSFilter's domain classification, which relies on our AI Webshrinker. Further, DNSFilter has an approachable company culture, and customers are involved in our decision making process of which features to implement. We have a transparent pricing model displayed on our public website and our support team is incredibly responsive compared to Cisco's. DNSFilter also offers more whitelabeling options for MSPs.
Creating a universal block list enables you to save time by creating blanketed protection outside of more-granular policies. It’s a definitive way to know that a harmful or inappropriate site will not be accessed across your organization.
Situations where domains fall into a gray area based on certain policies may sometimes be blocked accidentally, creating a hindrance to the business. Configuring an allow list ensures domains necessary for business to continue and run smoothly can be accessed.
Currently we recommend non-profits utilize our Pro plan. This provides great protection at an affordable price. We do offer cost-breaks for larger organizations. Contact sales@dnsfilter.com to learn more.
Yes, DNSFilter provides the easiest CIPA compliance on the market. With just one click, you can block all content necessary to become CIPA compliant and become eligible for e-rate funding. Learn more here: https://fltr.ai/4H-f
Yes! With DNSFilter, you will be able to implement DNS security anywhere in the world—particularly when you use our Roaming Clients deployment. We provide three different methods of implementation based on your needs, meaning you can get DNS protection at all of your locations and when you leave the office.
Yes. Our team can walk you through network deployment. Contact us at sales@dnsfilter.com to set up an initial discovery call.
Yes. We have a detailed integration guide for this use case. Contact us at sales@dnsfilter.com to set up an initial discovery call.
Yes, each partner commits to spend a minimum of $50 each month on user licenses.
Partners receive a discount based on volume. Detailed pricing will be sent to you after trial signup.
Start with a free trial. Select MSP/ISP as your industry during your free trail signup. A link to the partner program application is available under the main navigation in the dashboard if you select MSP as your industry during signup. Use this link directly for any industry (https://app.dnsfilter.com/settings/billing-info/partner-program). Complete the form and after our review of your application and approval into the program, you can access the multi-tenant/MSP dashboard. Feel free to test policies and deployments in the single organization account created on signup but note that transferring policies, sites, and roaming clients to other sub organizations after partner activation is not possible A sub organization matching the name of the MSP account is available for internal use and/or testing
DNSFilter is AI-based threat protection that stops threats at the DNS level. N-able partnered with DNSFilter because of our robust threat protection against phishing, ransomware, and zero-day attacks. DNSFilter is the fastest DNS resolver in North America and identifies threats as early as 7 days ahead of other threat feeds.
N-able customers can now access DNS threat protection within their RMM tool. Talk to your N-able rep about adding DNSFilter to your current RMM or N-central product suite: dnsfilter_sales@solarwinds.com
For access to our REST API, you need to have a professional subscription to DNSFilter, which is a $50 monthly minimum.
Yes, we do.
Yes. DNSFilter has a multi-tenant whitelabel option. Please contact us directly so we can talk through your whitelabeling use case.
OIDC compatible single sign on, on-prem Active Directory, Azure Active Directory, SIEMs (via Splunk style HEC API), Amazon S3 data export, and Zapier.
483 million total domains are categorized. We scan 3 million domains and process 1 trillion DNS requests daily.
IAB categories are far more detailed. There are 26 major categories and 366 total sub-categories. IAB categories are most useful for detailed information about the purpose of a particular domain. They are often used by AdTech companies who need detailed IAB information on each site. Additional information is also returned via API request for IAB categories. In addition to the category and sub category you will receive a confidence score. Our categories represent the most common categories of sites. They are useful for creating content filters or parental controls and blocking major threats when a high level of site granularity is not required for reporting.
Domain classification confidence scores range from 0.0 (not confident) to 1.0 (very confident/manually classified). We consider anything above .006 to be “fairly confident.” Confidence scores are only returned for those who select to receive IAB categories.
Updates to your policy are reflected on device in seconds. Browser and operating system caching can prolong a policy update so take measures to conform to your security needs.
If you want to truly block Discord to increase end user productivity (and not to mention increase security by blocking a site that is known for being a magnet for phishing attacks), this means you need to stay on top of any new domains that Discord starts using. The number might start small, only six, but as these companies grow they continue to add more domains. We’ve seen applications with thousands associated domains. If you wanted to block Microsoft domains, Bing alone has over 50,000 associated domains—and that’s not even taking into account all of Microsoft’s other applications you might want to manage and block. AppAware gives you the power to block what you need to without adding to your workload.
Some might view VPNs as harmless tools used for remote office file access, but they’re also heavily used to bypass content filtering. Over half a million queries to VPN-related domains occur on our network daily, with only 10% of these attempts blocked. However, of the blocked access attempts, 85%are because a security filter was enabled. When your users bypass the DNS security you have in place, you increase the likelihood that a threat will take hold of that device and possibly extend to the rest of your organization. Now you can choose from seven VPN and proxy applications to block once and for all.
Peer-to-peer filesharing sites like the Pirate Bay, BitTorrent, and uTorrent are notorious for infecting computers with malware. Because the user on the other end providing you with content is external to your network, they should not be inherently trusted. This goes for professional applications such as Dropbox as well. What is hosted on these sites and shared isn’t always inspected and deemed secure—leaving your network open to compromise.
Appaware is a next-generation application-blocking tool that enables organizations to seamlessly block common security threats. AppAware allows users to have real-time visibility of application activity on their network, as well as taking immediate and proactive actions to block apps which do not align with their internal policies. AppAware is available to all Enterprise, Pro+, and MSP customers.
With AppAware, organizations can block over 100 high-risk applications—including filesharing, remote desktop and high-risk messaging apps—with a single click and instantly gain insights into the usage of every application across the network.
Content filtering is the act of blocking unwanted web content and allowing “appropriate” or “favorable” content to be visitable. Content filtering can be enabled via software or hardware. The sorting of content into “good” and “bad” is made possible through website categorization. Without the ability to categorize a website, content filtering is not possible.
Unlike URL filtering, DNS filtering blocks domains. But more than that, it actually prevents domains from resolving. This is because when a DNS request is sent and the IP address is received by the DNS resolver, it doesn’t even send that information back to the end user. While content filtering at the DNS level means all pages on a website are blocked, it is much more secure for the end user.
Content filtering isn’t just about blocking disturbing, pornographic, or gambling sites. It’s also about blocking sites that are deemed a cybersecurity threat.
Our Data export feature allows users to export query log data to be utilized by a Security Information and Event Management (SIEM) or other tool of their choice. Exporting DNSFilter data allows an organization to aggregate relevant data from multiple sources and then take action.
DNSFilter's Data Export supports Amazon S3 buckets and also Splunk. Many SIEMs are able to pull data from an S3 bucket enabling many tools to access the exported data from DNSFilter.
At DNSFilter we use our proprietary AI tool, Webshrinker, to continuously scan more than 180,000,000 websites and determine their purpose and content type. We flag sites that potentially contain malware, ransomware, malvertising, or scams, and then allow our customers to block them. This creates a first-line-of-defense by between a click from a user, and serving the harmful page. Additionally, we allow for one-click blocking of domains less than 30 days old.
DNS filtering gives you the ability to filter bad or unwanted content at the DNS level. DNS filtering works by categorizing every single domain you attempt to access and cross-referencing those categorizations and domain names with policies you've determined you want to block.
DNS filtering is defensive software that prevents cybersecurity threats by following simple logic: if a website has something potentially dangerous within it, DNS filtering blocks a user from visiting it in the first place. It’s a zero-trust solution that leaves nothing to chance.
Given its versatility, DNS filtering offers users advanced customization features. Depending upon the needs of your organization, you can choose which types of content are permissible and which to block, specific to your company’s needs. In addition, by enabling DNS-based web filtering, you safeguard your users against malicious content. Let’s take a look at the four main benefits of filtering DNS.
The Domain Name System Security Extensions is a security system that helps verify the origin and integrity of data moving back and forth in a DNS resolution process. Similar to how TLS/SSL works, DNSSEC uses a public/private key pair to cryptographically verify and authenticate DNS data.
With DNSSEC, every DNS request is signed and verified to protect you from exploitation, protecting your brand. DNSSEC verifies the authenticity of the parties involved in a DNS request, prevents DNS cache poisoning and makes DNS data tamper-proof.
Unfortunately, a good DNS poisoning attack will go completely unnoticed to the end user. There will be no visible differences between a real Twitter login page and the spoofed one. This allows the attacker to take advantage of the user’s ignorance to steal sensitive information. Having DNSSEC implemented (and implemented properly) will help prevent these attacks
Simplified UI consolidates multiple reports in a single view. Perform comparison of historical activity across all roaming computers and network sites. Easily see your entire DNS footprint (how many roaming clients and networks are deployed). Drill down to explore the DNS traffic from specific users and computers.
Agent counts, Server’s geolocation, User reports, Roaming client reports and Domain reports
Insights reporting is the simplest way for customers to analyze their DNS query data. Insights reporting provides you with as much detail as you need to uncover anomalies and learn more about your individual network.
A Roaming Client is a tiny piece of software that is installed on a device, where it always runs in the background. It’s primary job is to do two things 1) Ensure all device DNS requests go to DNSFilter where they can be protected and filtered and 2) Embeds the device identity in the DNS requests
In short, any device! Roaming clients can be installed on Windows, Mac, Chrome, iOS or Android devices. Due to Apple policies, iOS devices must be in “Supervised Mode” which means they won’t work with “Bring your own device” setups.
Customers primarily use Roaming Clients to ensure that devices are protected and filtered when they leave your secure network, enforce device level policies (like different policies for IT managers or executives) and to get device level reporting (since the device ID is embedded in the DNS request)
Single Sign-On is an authentication protocol that allows users to sign into different software systems using a single identity. This identity is provided by third-party identity providers like Okta, OneLogin, or Azure AD.
The application you’re trying to authenticate with sets up a trust relationship with the identity provider that already has your authentication credentials. A certificate shared by the identity platform and the software you’re trying to access is used to sign identity information being shared by the two systems.
Active Directory and single sign-on (SSO) are different. Active directory is an on-prem directory service or cloud-based using Azure AD. SSO a cloud-based, web app identity extension point solution. SSO is an identification/authentication service while Active Directory is a full-fledged users and resources management technology
We support a lot of SSO providers, ensuring that setting up SSO on your own is easy and straightforward.
Account owners can simply enter their OAuth 2.0 credentials from an IdP in the SINGLE SIGN-ON section of the SETTINGS page of their DNSFilter account. Once the values have been entered correctly, SSO can be turned on.
Cryptojacking is a malicious form of mining cryptocurrency, sometimes referred to as simply cryptomining malware. Victims of cryptojacking experience the unauthorized takeover of their computer or network so the hackers can “mine” cryptocurrency. Compared to other malicious domain techniques leveraged by threat actors, cryptojacking is relatively new.
While traditional cryptocurrency miners will use their own resources to “mine” for new cryptocurrency, cryptojackers will actually infect a distributed network of computers with malware to utilize another’s computational bandwidth. This slows down the device and, at scale, drives up energy costs.
The targets of cryptojacking attacks can be individuals, or whole organizations where hackers infiltrate and enlist masses of computational resources for their own mining operations. It’s a way for threat actors to increase the size of their cryptowallets without having to pay the energy or resource costs with their own equipment.
In our 2021 Domain Threat Report, we took a close look at cryptocurrency and cryptojacking domains and found high volumes of copycat phishing domains for Bitcoin and cryptojacking domains heavily using the terms Ethereum, Dogecoin, and Litecoin. Many of these cryptojacking sites actually used a variation of the term “mining” in the name of the domain—nearly 19% of all cryptojacking sites identified on our network during the pandemic.
DNSFilter has a robust catalog of known cryptojacking sites, and domains that contain cryptocurrency references can be blocked in a single click.
We also provide our users the ability to block new domains and malware for a blanketed approach to mitigating all malicious cryptomining activity that could be activated at your organization at the DNS layer.
Cryptocurrency made a comeback in 2020, and that had a ripple effect. It wasn’t just investments that were impacted—security was majorly impacted because threat actors saw a new window for compromise.
Ransomware payments are made with cryptocurrency, as they are on the blockchain anonymously and cannot be traced. Because cryptocurrency marketplaces are popular right now, with many investors buying multiple coins, threat actors have chosen to create typosquatting and phishing domains for different cryptocurrencies.
And finally, malicious cryptomining is on the rise as cryptocurrency miners seek to make money, without investing directly in the currencies and without using their own resources.
Cryptojacking will continue to grow, as will other cryptocurrency-related threats.
DNS poisoning. DNS cache poisoning. DNS spoofing. Many names for the same thing: A way for threat actors to insert false DNS records to route traffic intended for a legitimate domain to a fake one. It's called “poisoning” because the false entry (the poison) is injected into the system at a single point and can spread throughout the system, affecting other points. This results in the end user attempting to access a usually safe site, like twitter.com, and getting redirected to the spoofed version. Often, you're taken to a login page where you're asked to submit credentials. In this scenario, you're giving away your Twitter account to the attacker. Once the attacker harvests your login credentials, they redirect you to the original Twitter website to continue your session.
Unfortunately, a good DNS poisoning attack will go completely unnoticed to the end user. There will be no visible differences between a real Twitter login page and the spoofed one. This allows the attacker to take advantage of the user’s ignorance to steal sensitive information. Another way a DNS poisoning attack can appear to an end user is when the domain refuses to load. This is done by attackers to frustrate the users of a service or cause harm to the business of that service. The attacker can substitute the IP address of the original domain with one that is not publicly accessible or simply spoof a “Not Found” page. Governments like China have also been known to spoof domains on their global block lists. In most of these cases, the end-user will likely never know they were the victim of DNS cache poisoning.
There are multiple actions you can take to prevent DNS poisoning. - Implement DNSSEC: DNSFilter fully supports DNSSEC, but proper configuration is key.
- Disable Dynamic DNS: While not everyone is able to disable Dynamic DNS because of their ISP, disabling it or never implementing it is another way to mitigate DNS poisoning.
- Encrypt DNS data: We support both DNS-over-HTTPS and DNS-over-TLS. And of course, you should run regular system updates to ensure you have no newly detected vulnerabilities.
DNS tunneling is a strategy used by black hats to create a covert channel into a victim’s computer or organization’s network. The channel created provides a means of encapsulating a malicious payload within DNS queries to take advantage of the relatively unrestricted flow of DNS traffic—especially in scenarios where almost all other traffic is restricted. DNS tunneling can be detected by performing DNS query analysis or traffic analysis, for example, analyzing the frequency of DNS traffic against a normal traffic benchmark within the network. When anomalies in query count and frequency are detected, a DNS tunneling attack is most likely in effect.
The covert channel created by a DNS tunnel is similar to a criminal breaking into a house: The potential damage they can cause is only limited by their imagination. A common use of DNS tunneling is data exfiltration, a process in which attackers steal information from the victim’s computer. Another use of DNS tunneling is to establish remote access to a victim’s computer or network allowing the attacker to execute malicious commands or install malware. DNS tunneling can also be used in releasing a worm into an organization’s network. This worm can be used to introduce ransomware or to shut down an organization’s business activities.
Having a DNS security platform to filter your DNS requests is one battle-tested solution that can help prevent DNS tunneling attacks. Because DNS tunneling uses DNS queries to establish a malicious connection with the attacker’s computer, monitoring, detecting, and blocking malicious queries proves to be very effective in combating these types of attacks. DNSFilter uses the following strategies to detect and block DNS tunneling attacks:
-Detect phishing attacks that can lead to the installation of malware
-Each time a DNS server receives a DNS request, it is compared against a block list of known malicious domains
-Detection of Domain Generation Algorithms (DGAs) used by attackers to generate random domains for attacks
-Detect unusual DNS traffic patterns
And of course, you should run regular system updates to ensure you have no newly detected vulnerabilities.
“Malware” is short for “malicious software” meant to harm or exploit a service, network, or device usually for financial gain. These malicious attacks can be used to exfiltrate data that can then be sold on the darkweb, to hold the data ransom (as in ransomware attacks), or in the outright destruction of valuable data.
Ransomware, malvertising, worms, spyware, viruses, trojans—malware is a broad term that includes all of these threat types and more.
Because of the wide range of possible malware attacks, downtime and costs can vary dramatically. However, the average cost of a malware attack on a company is $2.6 million according to Accenture.
Malware can spread through a variety of avenues. One of the most effective ways of deploying malware is to host it as a forced-download on a website domain and promote it through a phishing or social engineering attack. Standing up malicious URLs is an incredibly easy and effective way to spread malware. The threat actors usually take advantage of existing sites and hack them to host their malware.
Once someone unknowingly downloads any type of malware, it will usually “callback” to a host server for further instructions. It does this via DNS, and these “callback” signals can be blocked if DNS security is in place. The instructions the malware receives will depend on what type of malware it is: Ransomware, spyware, adware, virus, etc.
Sometimes the malware will act immediately to make itself known, while other times it might stay on your device or network and quietly gather data for a long period of time.
All organizations need to be prepared for a malware attack. Robust backups, application layer encryption, training, anti-virus, password managers, and multi-factor authentication will all aid you in the fight against malware. But one of the best ways to combat a malware attack is to block threats at the DNS layer.
DNS security not only blocks domains hosting malware, but will also stop “callbacks” from malware to host servers. This disables the ability for malicious software to be deployed and take over your computer in the event a malware package is deployed on your computer.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep you and your employees safe.
No one is safe from a phishing attack. Phishing is a type of social engineering attack where someone tries to trick the user into revealing information. This is most often done via malicious websites and emails. Email phishing happens when an email from a sender appears to come from someone you know, but it's actually from a malicious actor. It could be an email from your bank, for example, but what you don't know is that the email actually came from a fake email account and not your bank. The goal of the phisher is to trick you into giving up your login credentials—or any other sensitive information—by clicking on links or downloading attachments that contain malware. Phishers who send out spear phishing emails go a step further and target specific individuals or businesses instead of sending out mass emails indiscriminately. The goal is usually to steal data from those individuals or businesses. The hackers might trick someone into wiring money to them, or they might create a fake form to capture credit card or banking info. The possibilities are endless, but the main goal in all of this is deception.
Phishing is one of the most common tactics used by hackers to gain access to data. Large organizations are often targeted with spear phishing campaigns that are personalized for the company’s security team.
Spear phishing campaigns are harder to detect because they require more time, effort, and resources on behalf of the sender. Hackers are clever in their spear phishing emails, fake ads, or social campaigns. They learn things about your role or you as an individual, and use that as a way to gain your trust and pull off their scheme. Small businesses are also at risk of spear phishing attacks. Common targets include small business owners or managers who have access to company bank accounts or W-2 information. These small companies may not have any cybersecurity measures in place which makes them easy targets for hackers looking for sensitive information without raising suspicion. Phishing attacks have moved from targeting individuals to going after organizations. While large companies with resources are a lucrative target, 1 in 4 data breaches in the US in 2020 involved a small company. Every organization, no matter the size, is at risk.
New domains are the biggest threats when it comes to phishing attacks. These attacks are often assembled quickly from kits, meaning it’s easy for hackers to get new sites up as their old ones are taken down. Old methods, like a list of threat feeds, isn't enough to combat phishing.
With DNS Security, phishing attacks can be prevented by filtering out malicious websites that have never even been seen before.
Every new link you encounter in the course of the day has the possibility of being a phishing website or other malicious site—especially sites that have only been registered in the last 30 days. You can protect your company and your employees by implementing PDNS and blocking new and uncategorized domains, in addition to known phishing sites.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep your entire organization safe.
Traditional ransomware is a type of malware that renders a device (or files and applications on that device) unusable unless the owner pays a ransom to hackers. The device owners are then in the difficult position of either choosing to pay the ransom in exchange for a decryption key (without a clear guarantee they will receive the decryption key) or revert systems to backups and avoid paying the ransom altogether.
However in some cases, backups may be impacted or companies may not have robust enough backups to restore all of their systems.
Getting fully back online after a ransomware attack can take days or even months. In the midst of a ransomware attack, as the organization decides between paying the ransom or rebuilding their systems, many companies need to rely on paper files. Hospitals and government agencies are particularly vulnerable to ransomware attacks, impacting critical systems that may directly result in fatalities.
One major way ransomware is spread is through malicious URLs. These URLs can be shared in emails, SMS text messages, on chat forums like Discord or Slack—even in advertising campaigns on reputable websites.
These websites can host drive-by-downloads where just visiting a site force-downloads malicious software onto your computer that will initiate a ransomware attack.
Phishing campaigns and social engineering are also responsible for spreading ransomware. Fake social media accounts or too-good-to-be-true deals will often point users to malicious URLs, forcing malware downloads. Phishing emails are responsible for 54% of ransomware infections.
Another way ransomware can spread is through malicious attachments, which sometimes will trigger a DNS request.
It’s important that every organization be prepared for a ransomware attack. Robust backups, application layer encryption, training, anti-virus, password managers, and multi-factor authentication will all aid you in the fight against ransomware. But one of the best ways to combat a ransomware attack is to block threats at the DNS layer.
DNS security not only blocks domains hosting ransomware, but will also stop “callbacks” from malware to host servers. This disables the ability for ransomware to be deployed and take over your computer in the event a ransomware package is deployed on your computer.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep you and your employees safe.
Most DNS security setups that validate DNS records (DNS Security Extensions, DNSSEC), or encrypt DNS traffic for protection against malicious eavesdropping (DNS-over-TLS/ DoT or DNS-over-HTTPS/DoH) do not address the trustworthiness of upstream DNS infrastructure that may be compromised or maliciously provisioned. PDNS addresses these concerns by using an external DNS resolver that implements standard protective DNS policies. One of the main functions of the resolver is to examine the domain name queries and the returned IP addresses against threat intelligence. This way, the resolver can help prevent connections to known and suspected malicious domains. Protective DNS (PDNS) operates as a service and is not itself a DNS protocol.
DNS is at the heart of internet operations, but it is not built with security out of the box. Because of this, malicious actors find it attractive to design attacks around the protocol.
These attacks can lead to data exfiltration from compromised hosts, installation of malicious software, the spread of network worms, and ransomware.
Cybersecurity teams, in looking to strengthen the safety of company networks, leverage PDNS to secure an ever-expanding collection of devices, access points, and users. Proper DNS protection offers a zero-trust security solution for any end-user accessing the internet on your network. These services create a secure environment requiring no action or training on your end.
Following the joint statement, the NSA and CISA also released a report listing the guidelines for selecting a Protective DNS provider. These criteria, though not exhaustive, are considered to be the most important attributes to look out for when choosing a Protective DNS provider. The list below shows how DNSFilter satisfies the requirements stated in the report:
-Blocks Malware Domains
-Blocks Phishing Domains
-Malware Domain Generation Algorithm (DGA) Protection
-Leverages machine learning or other heuristics to augment threat feeds
-Content filtering
-Supports API access for SIEM integration or custom analytics
-Web Interface dashboard
-Validates DNSSEC
-DoH/DoT capable
Threat actors use typosquatting because they're relying on internet users to make mistakes. You'll mistype a domain name and find yourself on a site that looks like the one you wanted to land on anyway. If you looked closely at the URL you entered, you'd likely realize the mistake. But the goal here is to look identical to the original site it is mimicking. Typosquatting domains are traditionally used in phishing attacks. Amazon, Microsoft, and banking sites are popular victims of typosquatted phishing domains because they can direct users to login pages they're familiar with and steal their valuable credentials. Other uses for typosquatting include spreading malware. By using a familiar domain name (often swapping the TLD .com for .info or .top), they can bypass advertiser restrictions and trick end users. These ads often lead to malware, also known as malvertising. Typosquatting domains may also be used to sell knockoff brands (like Addidas). The possibilities for these copy cat domains are nearly endless, and hackers are using the ability to capitalize on typos to their advantage.
Phishing is one of the most common tactics used by hackers to gain access to data. And typosquatting plays an important role in phishing. Large organizations are often targeted with spear phishing campaigns that are personalized for the company’s security team. Threat actors will register domains similar to technology used by those companies, or similar in name to the company itself. Depending on the attack, it might come from m1cr0soft[dot]com (similar to a vendor you might use) or company-name-here[dot]info (a copy cat version of your own domain name). Phishing attacks have moved from targeting individuals to going after organizations. That's part of why typosquatting has become important to phishers: They're targeting professionals with some cybersecurity awareness. They need to do everything they can to go undetected. While large companies with resources are a lucrative target, 1 in 4 data breaches in the US in 2020 involved a small company. Every organization, no matter the size, is at risk.
New domains are the biggest threats when it comes to phishing and typosquatting attacks.
With DNS Security, typosquatting domains can be blocked by filtering out malicious websites that have never even been senen before.
Every new link you encounter in the course of the day has the possibility of being a phishing website or other malicious site—especially sites that have only been registered in the last 30 days. You can protect your company and your employees by implementing PDNS and blocking new and uncategorized domains, in addition to known phishing sites.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep your entire organization safe.
A zero-day threat is an attack that has not been seen before and does not match any known malware signatures. It is referred to as a "zero-day" threat because once the flaw is eventually discovered, the developer or organization has "zero days" to then come up with a solution.
By securing your DNS traffic which uses machine learning to perform deep inspection of DNS traffic, achieving greater threat coverage.
Our Sync Tool enables you to scale up to 500,000 Active Directory users. As your team grows, we have the scale to support you. DNSFilter also provides detailed information on sync logs, including any errors that may have occurred during a sync. We also give you more than one viewing mode and a free text search in the logs.
Apply policies at the group and user level. More versatility means more ways to implement a policy. There are seven different layers in our policy hierarchy. If you have an employee who needs to be exempt from their department filtering policy, you can create a custom policy just for them. Or, you can keep it simple and apply the policies at the group level—your deployment will fit your use case.
After a five-minute setup, your Active Directory will be synced with DNSFilter. Any changes you make to your on-premise or cloud AD will be reflected in your DNSFilter dashboard—this includes syncing of dynamic groups. So if someone moves from the IT department to the sales department, you won’t need to manually change their policy or push any changes—everything will be reflected in your instance.
You want to see your Active Directory instance reflected in DNSFilter, but do you want to be completely tied to it? Choose between the manual or managed options for policy enforcement depending on your preference. Do you want total control, or do you want to rely heavily on Active Directory? You’ll have complete flexibility.
Reclaim your valuable time and let computers do the repetitive tasks. Zapier allows for connectivity between thousands of applications you use every day, including DNSFilter.
Get notified when an organization or site is added or deleted from your account. Trigger an action or receive a notification whenever a roaming client or relay is added or removed from your account. Set up alerts that let you know whenever one of your users hits a page block. And automatically trigger workflows for when they request access to content currently blocked by your DNSFilter policy. Make sure your account is secure. Get alerts whenever any of your users disable multi-factor authentication.
Integrate with thousands of applications such as:
-Slack
-Office 365 (O365)
-Gmail
-Jira
-ConnectWise
-Zendesk
-Xero
-Salesforce
-and More!
When a customer signs up for Cisco Umbrella, they face a slew of challenges. The first, and the one we hear repeatedly from our customers and prospects, is the total lack of support for the product. When you have an issue with Cisco Umbrella, it can be nearly impossible to get a hold of someone. This leads to impacted Cisco customers without any DNS security for large chunks of time. The Cisco UI/UX is not intuitive and takes a more technical individual to implement the setup. This means you might need senior technical resources to take on a deployment they don’t have time for, as opposed to passing it over to a more junior engineer. Not to mention, within the Cisco Umbrella UI it is difficult to find things and some things are in multiple places, making it even harder to maintain a sense of where things are and where you can update them. Other common Cisco challenges customers endure are long contracts that lock you in, no investment or innovation on the product (the UI has not evolved very much since its OpenDNS days), and a slower anycast network.
Cisco Umbrella (previously OpenDNS) is a cloud-based DNS security solution, similar to DNSFilter. Umbrella provides basic needs to manage web filtering, includes rudimentary firewall style features like SSL decryption, and has integrations with high value platforms platforms like Connectwise PSA and S3 for log export. However, Cisco Umbrella is not as effective at blocking threats as DNSFilter, is harder to deploy, and has not continued to optimize the product over time.
Cisco Umbrella began as OpenDNS in 2008 as the first cloud-based protective DNS service. OpenDNS was purchased by Cisco in 2014. The name OpenDNS is now used for free filtering for home and families. It has different settings to block threats and/or adult categories compared to its Cisco Umbrella counterpart. To complicate the matter, OpenDNS does have a Home VIP and Umbrella Prosumer paid plan that offers more control over the settings—however this plan is mostly made up of older OpenDNS customers who have been grandfathered in.
Pricing is largely unknown with Cisco Umbrella because there is no public pricing available and all deals require communication with the sales team. Some reports have shown ~ $2.20 per user with a 100 user minimum, but that is mostly speculation. DNSFilter's pricing is $1 per user, with a minimum spend of $20 per month. Discounts are available for MSPs and Education. All pricing is clear on the public website.
The biggest difference between DNSFilter and Cisco Umbrella is the efficacy of DNSFilter's domain classification, which relies on our AI Webshrinker. Further, DNSFilter has an approachable company culture, and customers are involved in our decision making process of which features to implement. We have a transparent pricing model displayed on our public website and our support team is incredibly responsive compared to Cisco's. DNSFilter also offers more whitelabeling options for MSPs.
Creating a universal block list enables you to save time by creating blanketed protection outside of more-granular policies. It’s a definitive way to know that a harmful or inappropriate site will not be accessed across your organization.
Situations where domains fall into a gray area based on certain policies may sometimes be blocked accidentally, creating a hindrance to the business. Configuring an allow list ensures domains necessary for business to continue and run smoothly can be accessed.
DNSFilter categorizes sites in real-time, including a robust malware category that includes ransomware. Block known and zero-day ransomware domains so that your employees are never in a position where harmful ransomware takes over their computers and puts your business at risk.
Currently we recommend non-profits utilize our Pro plan. This provides great protection at an affordable price. We do offer cost-breaks for larger organizations. Contact sales@dnsfilter.com to learn more.
Yes, DNSFilter provides the easiest CIPA compliance on the market. With just one click, you can block all content necessary to become CIPA compliant and become eligible for e-rate funding. Learn more here: https://fltr.ai/4H-f
Yes! With DNSFilter, you will be able to implement DNS security anywhere in the world—particularly when you use our Roaming Clients deployment. We provide three different methods of implementation based on your needs, meaning you can get DNS protection at all of your locations and when you leave the office.
Yes. Our team can walk you through network deployment. Contact us at sales@dnsfilter.com to set up an initial discovery call.
Yes. We have a detailed integration guide for this use case. Contact us at sales@dnsfilter.com to set up an initial discovery call.
Yes, each partner commits to spend a minimum of $50 each month on user licenses.
Partners receive a discount based on volume. Detailed pricing will be sent to you after trial signup.
Start with a free trial. Select MSP/ISP as your industry during your free trail signup. A link to the partner program application is available under the main navigation in the dashboard if you select MSP as your industry during signup. Use this link directly for any industry (https://app.dnsfilter.com/settings/billing-info/partner-program). Complete the form and after our review of your application and approval into the program, you can access the multi-tenant/MSP dashboard. Feel free to test policies and deployments in the single organization account created on signup but note that transferring policies, sites, and roaming clients to other sub organizations after partner activation is not possible A sub organization matching the name of the MSP account is available for internal use and/or testing
DNSFilter is AI-based threat protection that stops threats at the DNS level. N-able partnered with DNSFilter because of our robust threat protection against phishing, ransomware, and zero-day attacks. DNSFilter is the fastest DNS resolver in North America and identifies threats as early as 7 days ahead of other threat feeds.
N-able customers can now access DNS threat protection within their RMM tool. Talk to your N-able rep about adding DNSFilter to your current RMM or N-central product suite: dnsfilter_sales@solarwinds.com
For access to our REST API, you need to have a professional subscription to DNSFilter, which is a $50 monthly minimum.
Yes, we do.
Yes. DNSFilter has a multi-tenant whitelabel option. Please contact us directly so we can talk through your whitelabeling use case.
OIDC compatible single sign on, on-prem Active Directory, Azure Active Directory, SIEMs (via Splunk style HEC API), Amazon S3 data export, and Zapier.
483 million total domains are categorized. We scan 3 million domains and process 1 trillion DNS requests daily.
IAB categories are far more detailed. There are 26 major categories and 366 total sub-categories. IAB categories are most useful for detailed information about the purpose of a particular domain. They are often used by AdTech companies who need detailed IAB information on each site. Additional information is also returned via API request for IAB categories. In addition to the category and sub category you will receive a confidence score. Our categories represent the most common categories of sites. They are useful for creating content filters or parental controls and blocking major threats when a high level of site granularity is not required for reporting.
Domain classification confidence scores range from 0.0 (not confident) to 1.0 (very confident/manually classified). We consider anything above .006 to be “fairly confident.” Confidence scores are only returned for those who select to receive IAB categories.
Updates to your policy are reflected on device in seconds. Browser and operating system caching can prolong a policy update so take measures to conform to your security needs.
If you want to truly block Discord to increase end user productivity (and not to mention increase security by blocking a site that is known for being a magnet for phishing attacks), this means you need to stay on top of any new domains that Discord starts using. The number might start small, only six, but as these companies grow they continue to add more domains. We’ve seen applications with thousands associated domains. If you wanted to block Microsoft domains, Bing alone has over 50,000 associated domains—and that’s not even taking into account all of Microsoft’s other applications you might want to manage and block. AppAware gives you the power to block what you need to without adding to your workload.
Some might view VPNs as harmless tools used for remote office file access, but they’re also heavily used to bypass content filtering. Over half a million queries to VPN-related domains occur on our network daily, with only 10% of these attempts blocked. However, of the blocked access attempts, 85%are because a security filter was enabled. When your users bypass the DNS security you have in place, you increase the likelihood that a threat will take hold of that device and possibly extend to the rest of your organization. Now you can choose from seven VPN and proxy applications to block once and for all.
Peer-to-peer filesharing sites like the Pirate Bay, BitTorrent, and uTorrent are notorious for infecting computers with malware. Because the user on the other end providing you with content is external to your network, they should not be inherently trusted. This goes for professional applications such as Dropbox as well. What is hosted on these sites and shared isn’t always inspected and deemed secure—leaving your network open to compromise.
Appaware is a next-generation application-blocking tool that enables organizations to seamlessly block common security threats. AppAware allows users to have real-time visibility of application activity on their network, as well as taking immediate and proactive actions to block apps which do not align with their internal policies. AppAware is available to all Enterprise, Pro+, and MSP customers.
With AppAware, organizations can block over 100 high-risk applications—including filesharing, remote desktop and high-risk messaging apps—with a single click and instantly gain insights into the usage of every application across the network.
Content filtering is the act of blocking unwanted web content and allowing “appropriate” or “favorable” content to be visitable. Content filtering can be enabled via software or hardware. The sorting of content into “good” and “bad” is made possible through website categorization. Without the ability to categorize a website, content filtering is not possible.
Unlike URL filtering, DNS filtering blocks domains. But more than that, it actually prevents domains from resolving. This is because when a DNS request is sent and the IP address is received by the DNS resolver, it doesn’t even send that information back to the end user. While content filtering at the DNS level means all pages on a website are blocked, it is much more secure for the end user.
Content filtering isn’t just about blocking disturbing, pornographic, or gambling sites. It’s also about blocking sites that are deemed a cybersecurity threat.
Our Data export feature allows users to export query log data to be utilized by a Security Information and Event Management (SIEM) or other tool of their choice. Exporting DNSFilter data allows an organization to aggregate relevant data from multiple sources and then take action.
DNSFilter's Data Export supports Amazon S3 buckets and also Splunk. Many SIEMs are able to pull data from an S3 bucket enabling many tools to access the exported data from DNSFilter.
At DNSFilter we use our proprietary AI tool, Webshrinker, to continuously scan more than 180,000,000 websites and determine their purpose and content type. We flag sites that potentially contain malware, ransomware, malvertising, or scams, and then allow our customers to block them. This creates a first-line-of-defense by between a click from a user, and serving the harmful page. Additionally, we allow for one-click blocking of domains less than 30 days old.
DNS filtering gives you the ability to filter bad or unwanted content at the DNS level. DNS filtering works by categorizing every single domain you attempt to access and cross-referencing those categorizations and domain names with policies you've determined you want to block.
DNS filtering is defensive software that prevents cybersecurity threats by following simple logic: if a website has something potentially dangerous within it, DNS filtering blocks a user from visiting it in the first place. It’s a zero-trust solution that leaves nothing to chance.
Given its versatility, DNS filtering offers users advanced customization features. Depending upon the needs of your organization, you can choose which types of content are permissible and which to block, specific to your company’s needs. In addition, by enabling DNS-based web filtering, you safeguard your users against malicious content. Let’s take a look at the four main benefits of filtering DNS.
The Domain Name System Security Extensions is a security system that helps verify the origin and integrity of data moving back and forth in a DNS resolution process. Similar to how TLS/SSL works, DNSSEC uses a public/private key pair to cryptographically verify and authenticate DNS data.
With DNSSEC, every DNS request is signed and verified to protect you from exploitation, protecting your brand. DNSSEC verifies the authenticity of the parties involved in a DNS request, prevents DNS cache poisoning and makes DNS data tamper-proof.
Unfortunately, a good DNS poisoning attack will go completely unnoticed to the end user. There will be no visible differences between a real Twitter login page and the spoofed one. This allows the attacker to take advantage of the user’s ignorance to steal sensitive information. Having DNSSEC implemented (and implemented properly) will help prevent these attacks
Simplified UI consolidates multiple reports in a single view. Perform comparison of historical activity across all roaming computers and network sites. Easily see your entire DNS footprint (how many roaming clients and networks are deployed). Drill down to explore the DNS traffic from specific users and computers.
Agent counts, Server’s geolocation, User reports, Roaming client reports and Domain reports
Insights reporting is the simplest way for customers to analyze their DNS query data. Insights reporting provides you with as much detail as you need to uncover anomalies and learn more about your individual network.
A Roaming Client is a tiny piece of software that is installed on a device, where it always runs in the background. It’s primary job is to do two things 1) Ensure all device DNS requests go to DNSFilter where they can be protected and filtered and 2) Embeds the device identity in the DNS requests
In short, any device! Roaming clients can be installed on Windows, Mac, Chrome, iOS or Android devices. Due to Apple policies, iOS devices must be in “Supervised Mode” which means they won’t work with “Bring your own device” setups.
Customers primarily use Roaming Clients to ensure that devices are protected and filtered when they leave your secure network, enforce device level policies (like different policies for IT managers or executives) and to get device level reporting (since the device ID is embedded in the DNS request)
Single Sign-On is an authentication protocol that allows users to sign into different software systems using a single identity. This identity is provided by third-party identity providers like Okta, OneLogin, or Azure AD.
The application you’re trying to authenticate with sets up a trust relationship with the identity provider that already has your authentication credentials. A certificate shared by the identity platform and the software you’re trying to access is used to sign identity information being shared by the two systems.
Active Directory and single sign-on (SSO) are different. Active directory is an on-prem directory service or cloud-based using Azure AD. SSO a cloud-based, web app identity extension point solution. SSO is an identification/authentication service while Active Directory is a full-fledged users and resources management technology
We support a lot of SSO providers, ensuring that setting up SSO on your own is easy and straightforward.
Account owners can simply enter their OAuth 2.0 credentials from an IdP in the SINGLE SIGN-ON section of the SETTINGS page of their DNSFilter account. Once the values have been entered correctly, SSO can be turned on.
Cryptojacking is a malicious form of mining cryptocurrency, sometimes referred to as simply cryptomining malware. Victims of cryptojacking experience the unauthorized takeover of their computer or network so the hackers can “mine” cryptocurrency. Compared to other malicious domain techniques leveraged by threat actors, cryptojacking is relatively new.
While traditional cryptocurrency miners will use their own resources to “mine” for new cryptocurrency, cryptojackers will actually infect a distributed network of computers with malware to utilize another’s computational bandwidth. This slows down the device and, at scale, drives up energy costs.
The targets of cryptojacking attacks can be individuals, or whole organizations where hackers infiltrate and enlist masses of computational resources for their own mining operations. It’s a way for threat actors to increase the size of their cryptowallets without having to pay the energy or resource costs with their own equipment.
In our 2021 Domain Threat Report, we took a close look at cryptocurrency and cryptojacking domains and found high volumes of copycat phishing domains for Bitcoin and cryptojacking domains heavily using the terms Ethereum, Dogecoin, and Litecoin. Many of these cryptojacking sites actually used a variation of the term “mining” in the name of the domain—nearly 19% of all cryptojacking sites identified on our network during the pandemic.
DNSFilter has a robust catalog of known cryptojacking sites, and domains that contain cryptocurrency references can be blocked in a single click.
We also provide our users the ability to block new domains and malware for a blanketed approach to mitigating all malicious cryptomining activity that could be activated at your organization at the DNS layer.
Cryptocurrency made a comeback in 2020, and that had a ripple effect. It wasn’t just investments that were impacted—security was majorly impacted because threat actors saw a new window for compromise.
Ransomware payments are made with cryptocurrency, as they are on the blockchain anonymously and cannot be traced. Because cryptocurrency marketplaces are popular right now, with many investors buying multiple coins, threat actors have chosen to create typosquatting and phishing domains for different cryptocurrencies.
And finally, malicious cryptomining is on the rise as cryptocurrency miners seek to make money, without investing directly in the currencies and without using their own resources.
Cryptojacking will continue to grow, as will other cryptocurrency-related threats.
DNS poisoning. DNS cache poisoning. DNS spoofing. Many names for the same thing: A way for threat actors to insert false DNS records to route traffic intended for a legitimate domain to a fake one. It's called “poisoning” because the false entry (the poison) is injected into the system at a single point and can spread throughout the system, affecting other points. This results in the end user attempting to access a usually safe site, like twitter.com, and getting redirected to the spoofed version. Often, you're taken to a login page where you're asked to submit credentials. In this scenario, you're giving away your Twitter account to the attacker. Once the attacker harvests your login credentials, they redirect you to the original Twitter website to continue your session.
Unfortunately, a good DNS poisoning attack will go completely unnoticed to the end user. There will be no visible differences between a real Twitter login page and the spoofed one. This allows the attacker to take advantage of the user’s ignorance to steal sensitive information. Another way a DNS poisoning attack can appear to an end user is when the domain refuses to load. This is done by attackers to frustrate the users of a service or cause harm to the business of that service. The attacker can substitute the IP address of the original domain with one that is not publicly accessible or simply spoof a “Not Found” page. Governments like China have also been known to spoof domains on their global block lists. In most of these cases, the end-user will likely never know they were the victim of DNS cache poisoning.
There are multiple actions you can take to prevent DNS poisoning. - Implement DNSSEC: DNSFilter fully supports DNSSEC, but proper configuration is key.
- Disable Dynamic DNS: While not everyone is able to disable Dynamic DNS because of their ISP, disabling it or never implementing it is another way to mitigate DNS poisoning.
- Encrypt DNS data: We support both DNS-over-HTTPS and DNS-over-TLS. And of course, you should run regular system updates to ensure you have no newly detected vulnerabilities.
DNS tunneling is a strategy used by black hats to create a covert channel into a victim’s computer or organization’s network. The channel created provides a means of encapsulating a malicious payload within DNS queries to take advantage of the relatively unrestricted flow of DNS traffic—especially in scenarios where almost all other traffic is restricted. DNS tunneling can be detected by performing DNS query analysis or traffic analysis, for example, analyzing the frequency of DNS traffic against a normal traffic benchmark within the network. When anomalies in query count and frequency are detected, a DNS tunneling attack is most likely in effect.
The covert channel created by a DNS tunnel is similar to a criminal breaking into a house: The potential damage they can cause is only limited by their imagination. A common use of DNS tunneling is data exfiltration, a process in which attackers steal information from the victim’s computer. Another use of DNS tunneling is to establish remote access to a victim’s computer or network allowing the attacker to execute malicious commands or install malware. DNS tunneling can also be used in releasing a worm into an organization’s network. This worm can be used to introduce ransomware or to shut down an organization’s business activities.
Having a DNS security platform to filter your DNS requests is one battle-tested solution that can help prevent DNS tunneling attacks. Because DNS tunneling uses DNS queries to establish a malicious connection with the attacker’s computer, monitoring, detecting, and blocking malicious queries proves to be very effective in combating these types of attacks. DNSFilter uses the following strategies to detect and block DNS tunneling attacks:
-Detect phishing attacks that can lead to the installation of malware
-Each time a DNS server receives a DNS request, it is compared against a block list of known malicious domains
-Detection of Domain Generation Algorithms (DGAs) used by attackers to generate random domains for attacks
-Detect unusual DNS traffic patterns
And of course, you should run regular system updates to ensure you have no newly detected vulnerabilities.
“Malware” is short for “malicious software” meant to harm or exploit a service, network, or device usually for financial gain. These malicious attacks can be used to exfiltrate data that can then be sold on the darkweb, to hold the data ransom (as in ransomware attacks), or in the outright destruction of valuable data.
Ransomware, malvertising, worms, spyware, viruses, trojans—malware is a broad term that includes all of these threat types and more.
Because of the wide range of possible malware attacks, downtime and costs can vary dramatically. However, the average cost of a malware attack on a company is $2.6 million according to Accenture.
Malware can spread through a variety of avenues. One of the most effective ways of deploying malware is to host it as a forced-download on a website domain and promote it through a phishing or social engineering attack. Standing up malicious URLs is an incredibly easy and effective way to spread malware. The threat actors usually take advantage of existing sites and hack them to host their malware.
Once someone unknowingly downloads any type of malware, it will usually “callback” to a host server for further instructions. It does this via DNS, and these “callback” signals can be blocked if DNS security is in place. The instructions the malware receives will depend on what type of malware it is: Ransomware, spyware, adware, virus, etc.
Sometimes the malware will act immediately to make itself known, while other times it might stay on your device or network and quietly gather data for a long period of time.
All organizations need to be prepared for a malware attack. Robust backups, application layer encryption, training, anti-virus, password managers, and multi-factor authentication will all aid you in the fight against malware. But one of the best ways to combat a malware attack is to block threats at the DNS layer.
DNS security not only blocks domains hosting malware, but will also stop “callbacks” from malware to host servers. This disables the ability for malicious software to be deployed and take over your computer in the event a malware package is deployed on your computer.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep you and your employees safe.
No one is safe from a phishing attack. Phishing is a type of social engineering attack where someone tries to trick the user into revealing information. This is most often done via malicious websites and emails. Email phishing happens when an email from a sender appears to come from someone you know, but it's actually from a malicious actor. It could be an email from your bank, for example, but what you don't know is that the email actually came from a fake email account and not your bank. The goal of the phisher is to trick you into giving up your login credentials—or any other sensitive information—by clicking on links or downloading attachments that contain malware. Phishers who send out spear phishing emails go a step further and target specific individuals or businesses instead of sending out mass emails indiscriminately. The goal is usually to steal data from those individuals or businesses. The hackers might trick someone into wiring money to them, or they might create a fake form to capture credit card or banking info. The possibilities are endless, but the main goal in all of this is deception.
Phishing is one of the most common tactics used by hackers to gain access to data. Large organizations are often targeted with spear phishing campaigns that are personalized for the company’s security team.
Spear phishing campaigns are harder to detect because they require more time, effort, and resources on behalf of the sender. Hackers are clever in their spear phishing emails, fake ads, or social campaigns. They learn things about your role or you as an individual, and use that as a way to gain your trust and pull off their scheme. Small businesses are also at risk of spear phishing attacks. Common targets include small business owners or managers who have access to company bank accounts or W-2 information. These small companies may not have any cybersecurity measures in place which makes them easy targets for hackers looking for sensitive information without raising suspicion. Phishing attacks have moved from targeting individuals to going after organizations. While large companies with resources are a lucrative target, 1 in 4 data breaches in the US in 2020 involved a small company. Every organization, no matter the size, is at risk.
New domains are the biggest threats when it comes to phishing attacks. These attacks are often assembled quickly from kits, meaning it’s easy for hackers to get new sites up as their old ones are taken down. Old methods, like a list of threat feeds, isn't enough to combat phishing.
With DNS Security, phishing attacks can be prevented by filtering out malicious websites that have never even been seen before.
Every new link you encounter in the course of the day has the possibility of being a phishing website or other malicious site—especially sites that have only been registered in the last 30 days. You can protect your company and your employees by implementing PDNS and blocking new and uncategorized domains, in addition to known phishing sites.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep your entire organization safe.
Traditional ransomware is a type of malware that renders a device (or files and applications on that device) unusable unless the owner pays a ransom to hackers. The device owners are then in the difficult position of either choosing to pay the ransom in exchange for a decryption key (without a clear guarantee they will receive the decryption key) or revert systems to backups and avoid paying the ransom altogether.
However in some cases, backups may be impacted or companies may not have robust enough backups to restore all of their systems.
Getting fully back online after a ransomware attack can take days or even months. In the midst of a ransomware attack, as the organization decides between paying the ransom or rebuilding their systems, many companies need to rely on paper files. Hospitals and government agencies are particularly vulnerable to ransomware attacks, impacting critical systems that may directly result in fatalities.
One major way ransomware is spread is through malicious URLs. These URLs can be shared in emails, SMS text messages, on chat forums like Discord or Slack—even in advertising campaigns on reputable websites.
These websites can host drive-by-downloads where just visiting a site force-downloads malicious software onto your computer that will initiate a ransomware attack.
Phishing campaigns and social engineering are also responsible for spreading ransomware. Fake social media accounts or too-good-to-be-true deals will often point users to malicious URLs, forcing malware downloads. Phishing emails are responsible for 54% of ransomware infections.
Another way ransomware can spread is through malicious attachments, which sometimes will trigger a DNS request.
It’s important that every organization be prepared for a ransomware attack. Robust backups, application layer encryption, training, anti-virus, password managers, and multi-factor authentication will all aid you in the fight against ransomware. But one of the best ways to combat a ransomware attack is to block threats at the DNS layer.
DNS security not only blocks domains hosting ransomware, but will also stop “callbacks” from malware to host servers. This disables the ability for ransomware to be deployed and take over your computer in the event a ransomware package is deployed on your computer.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep you and your employees safe.
Most DNS security setups that validate DNS records (DNS Security Extensions, DNSSEC), or encrypt DNS traffic for protection against malicious eavesdropping (DNS-over-TLS/ DoT or DNS-over-HTTPS/DoH) do not address the trustworthiness of upstream DNS infrastructure that may be compromised or maliciously provisioned. PDNS addresses these concerns by using an external DNS resolver that implements standard protective DNS policies. One of the main functions of the resolver is to examine the domain name queries and the returned IP addresses against threat intelligence. This way, the resolver can help prevent connections to known and suspected malicious domains. Protective DNS (PDNS) operates as a service and is not itself a DNS protocol.
DNS is at the heart of internet operations, but it is not built with security out of the box. Because of this, malicious actors find it attractive to design attacks around the protocol.
These attacks can lead to data exfiltration from compromised hosts, installation of malicious software, the spread of network worms, and ransomware.
Cybersecurity teams, in looking to strengthen the safety of company networks, leverage PDNS to secure an ever-expanding collection of devices, access points, and users. Proper DNS protection offers a zero-trust security solution for any end-user accessing the internet on your network. These services create a secure environment requiring no action or training on your end.
Following the joint statement, the NSA and CISA also released a report listing the guidelines for selecting a Protective DNS provider. These criteria, though not exhaustive, are considered to be the most important attributes to look out for when choosing a Protective DNS provider. The list below shows how DNSFilter satisfies the requirements stated in the report:
-Blocks Malware Domains
-Blocks Phishing Domains
-Malware Domain Generation Algorithm (DGA) Protection
-Leverages machine learning or other heuristics to augment threat feeds
-Content filtering
-Supports API access for SIEM integration or custom analytics
-Web Interface dashboard
-Validates DNSSEC
-DoH/DoT capable
Threat actors use typosquatting because they're relying on internet users to make mistakes. You'll mistype a domain name and find yourself on a site that looks like the one you wanted to land on anyway. If you looked closely at the URL you entered, you'd likely realize the mistake. But the goal here is to look identical to the original site it is mimicking. Typosquatting domains are traditionally used in phishing attacks. Amazon, Microsoft, and banking sites are popular victims of typosquatted phishing domains because they can direct users to login pages they're familiar with and steal their valuable credentials. Other uses for typosquatting include spreading malware. By using a familiar domain name (often swapping the TLD .com for .info or .top), they can bypass advertiser restrictions and trick end users. These ads often lead to malware, also known as malvertising. Typosquatting domains may also be used to sell knockoff brands (like Addidas). The possibilities for these copy cat domains are nearly endless, and hackers are using the ability to capitalize on typos to their advantage.
Phishing is one of the most common tactics used by hackers to gain access to data. And typosquatting plays an important role in phishing. Large organizations are often targeted with spear phishing campaigns that are personalized for the company’s security team. Threat actors will register domains similar to technology used by those companies, or similar in name to the company itself. Depending on the attack, it might come from m1cr0soft[dot]com (similar to a vendor you might use) or company-name-here[dot]info (a copy cat version of your own domain name). Phishing attacks have moved from targeting individuals to going after organizations. That's part of why typosquatting has become important to phishers: They're targeting professionals with some cybersecurity awareness. They need to do everything they can to go undetected. While large companies with resources are a lucrative target, 1 in 4 data breaches in the US in 2020 involved a small company. Every organization, no matter the size, is at risk.
New domains are the biggest threats when it comes to phishing and typosquatting attacks.
With DNS Security, typosquatting domains can be blocked by filtering out malicious websites that have never even been senen before.
Every new link you encounter in the course of the day has the possibility of being a phishing website or other malicious site—especially sites that have only been registered in the last 30 days. You can protect your company and your employees by implementing PDNS and blocking new and uncategorized domains, in addition to known phishing sites.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep your entire organization safe.
A zero-day threat is an attack that has not been seen before and does not match any known malware signatures. It is referred to as a "zero-day" threat because once the flaw is eventually discovered, the developer or organization has "zero days" to then come up with a solution.
By securing your DNS traffic which uses machine learning to perform deep inspection of DNS traffic, achieving greater threat coverage.
Our Sync Tool enables you to scale up to 500,000 Active Directory users. As your team grows, we have the scale to support you. DNSFilter also provides detailed information on sync logs, including any errors that may have occurred during a sync. We also give you more than one viewing mode and a free text search in the logs.
Apply policies at the group and user level. More versatility means more ways to implement a policy. There are seven different layers in our policy hierarchy. If you have an employee who needs to be exempt from their department filtering policy, you can create a custom policy just for them. Or, you can keep it simple and apply the policies at the group level—your deployment will fit your use case.
After a five-minute setup, your Active Directory will be synced with DNSFilter. Any changes you make to your on-premise or cloud AD will be reflected in your DNSFilter dashboard—this includes syncing of dynamic groups. So if someone moves from the IT department to the sales department, you won’t need to manually change their policy or push any changes—everything will be reflected in your instance.
You want to see your Active Directory instance reflected in DNSFilter, but do you want to be completely tied to it? Choose between the manual or managed options for policy enforcement depending on your preference. Do you want total control, or do you want to rely heavily on Active Directory? You’ll have complete flexibility.
Reclaim your valuable time and let computers do the repetitive tasks. Zapier allows for connectivity between thousands of applications you use every day, including DNSFilter.
Get notified when an organization or site is added or deleted from your account. Trigger an action or receive a notification whenever a roaming client or relay is added or removed from your account. Set up alerts that let you know whenever one of your users hits a page block. And automatically trigger workflows for when they request access to content currently blocked by your DNSFilter policy. Make sure your account is secure. Get alerts whenever any of your users disable multi-factor authentication.
Integrate with thousands of applications such as:
-Slack
-Office 365 (O365)
-Gmail
-Jira
-ConnectWise
-Zendesk
-Xero
-Salesforce
-and More!
When a customer signs up for Cisco Umbrella, they face a slew of challenges. The first, and the one we hear repeatedly from our customers and prospects, is the total lack of support for the product. When you have an issue with Cisco Umbrella, it can be nearly impossible to get a hold of someone. This leads to impacted Cisco customers without any DNS security for large chunks of time. The Cisco UI/UX is not intuitive and takes a more technical individual to implement the setup. This means you might need senior technical resources to take on a deployment they don’t have time for, as opposed to passing it over to a more junior engineer. Not to mention, within the Cisco Umbrella UI it is difficult to find things and some things are in multiple places, making it even harder to maintain a sense of where things are and where you can update them. Other common Cisco challenges customers endure are long contracts that lock you in, no investment or innovation on the product (the UI has not evolved very much since its OpenDNS days), and a slower anycast network.
Cisco Umbrella (previously OpenDNS) is a cloud-based DNS security solution, similar to DNSFilter. Umbrella provides basic needs to manage web filtering, includes rudimentary firewall style features like SSL decryption, and has integrations with high value platforms platforms like Connectwise PSA and S3 for log export. However, Cisco Umbrella is not as effective at blocking threats as DNSFilter, is harder to deploy, and has not continued to optimize the product over time.
Cisco Umbrella began as OpenDNS in 2008 as the first cloud-based protective DNS service. OpenDNS was purchased by Cisco in 2014. The name OpenDNS is now used for free filtering for home and families. It has different settings to block threats and/or adult categories compared to its Cisco Umbrella counterpart. To complicate the matter, OpenDNS does have a Home VIP and Umbrella Prosumer paid plan that offers more control over the settings—however this plan is mostly made up of older OpenDNS customers who have been grandfathered in.
Pricing is largely unknown with Cisco Umbrella because there is no public pricing available and all deals require communication with the sales team. Some reports have shown ~ $2.20 per user with a 100 user minimum, but that is mostly speculation. DNSFilter's pricing is $1 per user, with a minimum spend of $20 per month. Discounts are available for MSPs and Education. All pricing is clear on the public website.
The biggest difference between DNSFilter and Cisco Umbrella is the efficacy of DNSFilter's domain classification, which relies on our AI Webshrinker. Further, DNSFilter has an approachable company culture, and customers are involved in our decision making process of which features to implement. We have a transparent pricing model displayed on our public website and our support team is incredibly responsive compared to Cisco's. DNSFilter also offers more whitelabeling options for MSPs.
Creating a universal block list enables you to save time by creating blanketed protection outside of more-granular policies. It’s a definitive way to know that a harmful or inappropriate site will not be accessed across your organization.
Situations where domains fall into a gray area based on certain policies may sometimes be blocked accidentally, creating a hindrance to the business. Configuring an allow list ensures domains necessary for business to continue and run smoothly can be accessed.
Currently we recommend non-profits utilize our Pro plan. This provides great protection at an affordable price. We do offer cost-breaks for larger organizations. Contact sales@dnsfilter.com to learn more.
Yes, DNSFilter provides the easiest CIPA compliance on the market. With just one click, you can block all content necessary to become CIPA compliant and become eligible for e-rate funding. Learn more here: https://fltr.ai/4H-f
Yes! With DNSFilter, you will be able to implement DNS security anywhere in the world—particularly when you use our Roaming Clients deployment. We provide three different methods of implementation based on your needs, meaning you can get DNS protection at all of your locations and when you leave the office.
Yes. Our team can walk you through network deployment. Contact us at sales@dnsfilter.com to set up an initial discovery call.
Yes. We have a detailed integration guide for this use case. Contact us at sales@dnsfilter.com to set up an initial discovery call.
Yes, each partner commits to spend a minimum of $50 each month on user licenses.
Partners receive a discount based on volume. Detailed pricing will be sent to you after trial signup.
Start with a free trial. Select MSP/ISP as your industry during your free trail signup. A link to the partner program application is available under the main navigation in the dashboard if you select MSP as your industry during signup. Use this link directly for any industry (https://app.dnsfilter.com/settings/billing-info/partner-program). Complete the form and after our review of your application and approval into the program, you can access the multi-tenant/MSP dashboard. Feel free to test policies and deployments in the single organization account created on signup but note that transferring policies, sites, and roaming clients to other sub organizations after partner activation is not possible A sub organization matching the name of the MSP account is available for internal use and/or testing
DNSFilter is AI-based threat protection that stops threats at the DNS level. N-able partnered with DNSFilter because of our robust threat protection against phishing, ransomware, and zero-day attacks. DNSFilter is the fastest DNS resolver in North America and identifies threats as early as 7 days ahead of other threat feeds.
N-able customers can now access DNS threat protection within their RMM tool. Talk to your N-able rep about adding DNSFilter to your current RMM or N-central product suite: dnsfilter_sales@solarwinds.com
For access to our REST API, you need to have a professional subscription to DNSFilter, which is a $50 monthly minimum.
Yes, we do.
Yes. DNSFilter has a multi-tenant whitelabel option. Please contact us directly so we can talk through your whitelabeling use case.
OIDC compatible single sign on, on-prem Active Directory, Azure Active Directory, SIEMs (via Splunk style HEC API), Amazon S3 data export, and Zapier.
483 million total domains are categorized. We scan 3 million domains and process 1 trillion DNS requests daily.
IAB categories are far more detailed. There are 26 major categories and 366 total sub-categories. IAB categories are most useful for detailed information about the purpose of a particular domain. They are often used by AdTech companies who need detailed IAB information on each site. Additional information is also returned via API request for IAB categories. In addition to the category and sub category you will receive a confidence score. Our categories represent the most common categories of sites. They are useful for creating content filters or parental controls and blocking major threats when a high level of site granularity is not required for reporting.
Domain classification confidence scores range from 0.0 (not confident) to 1.0 (very confident/manually classified). We consider anything above .006 to be “fairly confident.” Confidence scores are only returned for those who select to receive IAB categories.
Updates to your policy are reflected on device in seconds. Browser and operating system caching can prolong a policy update so take measures to conform to your security needs.
If you want to truly block Discord to increase end user productivity (and not to mention increase security by blocking a site that is known for being a magnet for phishing attacks), this means you need to stay on top of any new domains that Discord starts using. The number might start small, only six, but as these companies grow they continue to add more domains. We’ve seen applications with thousands associated domains. If you wanted to block Microsoft domains, Bing alone has over 50,000 associated domains—and that’s not even taking into account all of Microsoft’s other applications you might want to manage and block. AppAware gives you the power to block what you need to without adding to your workload.
Some might view VPNs as harmless tools used for remote office file access, but they’re also heavily used to bypass content filtering. Over half a million queries to VPN-related domains occur on our network daily, with only 10% of these attempts blocked. However, of the blocked access attempts, 85%are because a security filter was enabled. When your users bypass the DNS security you have in place, you increase the likelihood that a threat will take hold of that device and possibly extend to the rest of your organization. Now you can choose from seven VPN and proxy applications to block once and for all.
Peer-to-peer filesharing sites like the Pirate Bay, BitTorrent, and uTorrent are notorious for infecting computers with malware. Because the user on the other end providing you with content is external to your network, they should not be inherently trusted. This goes for professional applications such as Dropbox as well. What is hosted on these sites and shared isn’t always inspected and deemed secure—leaving your network open to compromise.
Appaware is a next-generation application-blocking tool that enables organizations to seamlessly block common security threats. AppAware allows users to have real-time visibility of application activity on their network, as well as taking immediate and proactive actions to block apps which do not align with their internal policies. AppAware is available to all Enterprise, Pro+, and MSP customers.
With AppAware, organizations can block over 100 high-risk applications—including filesharing, remote desktop and high-risk messaging apps—with a single click and instantly gain insights into the usage of every application across the network.
Content filtering is the act of blocking unwanted web content and allowing “appropriate” or “favorable” content to be visitable. Content filtering can be enabled via software or hardware. The sorting of content into “good” and “bad” is made possible through website categorization. Without the ability to categorize a website, content filtering is not possible.
Unlike URL filtering, DNS filtering blocks domains. But more than that, it actually prevents domains from resolving. This is because when a DNS request is sent and the IP address is received by the DNS resolver, it doesn’t even send that information back to the end user. While content filtering at the DNS level means all pages on a website are blocked, it is much more secure for the end user.
Content filtering isn’t just about blocking disturbing, pornographic, or gambling sites. It’s also about blocking sites that are deemed a cybersecurity threat.
Our Data export feature allows users to export query log data to be utilized by a Security Information and Event Management (SIEM) or other tool of their choice. Exporting DNSFilter data allows an organization to aggregate relevant data from multiple sources and then take action.
DNSFilter's Data Export supports Amazon S3 buckets and also Splunk. Many SIEMs are able to pull data from an S3 bucket enabling many tools to access the exported data from DNSFilter.
At DNSFilter we use our proprietary AI tool, Webshrinker, to continuously scan more than 180,000,000 websites and determine their purpose and content type. We flag sites that potentially contain malware, ransomware, malvertising, or scams, and then allow our customers to block them. This creates a first-line-of-defense by between a click from a user, and serving the harmful page. Additionally, we allow for one-click blocking of domains less than 30 days old.
DNS filtering gives you the ability to filter bad or unwanted content at the DNS level. DNS filtering works by categorizing every single domain you attempt to access and cross-referencing those categorizations and domain names with policies you've determined you want to block.
DNS filtering is defensive software that prevents cybersecurity threats by following simple logic: if a website has something potentially dangerous within it, DNS filtering blocks a user from visiting it in the first place. It’s a zero-trust solution that leaves nothing to chance.
Given its versatility, DNS filtering offers users advanced customization features. Depending upon the needs of your organization, you can choose which types of content are permissible and which to block, specific to your company’s needs. In addition, by enabling DNS-based web filtering, you safeguard your users against malicious content. Let’s take a look at the four main benefits of filtering DNS.
The Domain Name System Security Extensions is a security system that helps verify the origin and integrity of data moving back and forth in a DNS resolution process. Similar to how TLS/SSL works, DNSSEC uses a public/private key pair to cryptographically verify and authenticate DNS data.
With DNSSEC, every DNS request is signed and verified to protect you from exploitation, protecting your brand. DNSSEC verifies the authenticity of the parties involved in a DNS request, prevents DNS cache poisoning and makes DNS data tamper-proof.
Unfortunately, a good DNS poisoning attack will go completely unnoticed to the end user. There will be no visible differences between a real Twitter login page and the spoofed one. This allows the attacker to take advantage of the user’s ignorance to steal sensitive information. Having DNSSEC implemented (and implemented properly) will help prevent these attacks
Simplified UI consolidates multiple reports in a single view. Perform comparison of historical activity across all roaming computers and network sites. Easily see your entire DNS footprint (how many roaming clients and networks are deployed). Drill down to explore the DNS traffic from specific users and computers.
Agent counts, Server’s geolocation, User reports, Roaming client reports and Domain reports
Insights reporting is the simplest way for customers to analyze their DNS query data. Insights reporting provides you with as much detail as you need to uncover anomalies and learn more about your individual network.
A Roaming Client is a tiny piece of software that is installed on a device, where it always runs in the background. It’s primary job is to do two things 1) Ensure all device DNS requests go to DNSFilter where they can be protected and filtered and 2) Embeds the device identity in the DNS requests
In short, any device! Roaming clients can be installed on Windows, Mac, Chrome, iOS or Android devices. Due to Apple policies, iOS devices must be in “Supervised Mode” which means they won’t work with “Bring your own device” setups.
Customers primarily use Roaming Clients to ensure that devices are protected and filtered when they leave your secure network, enforce device level policies (like different policies for IT managers or executives) and to get device level reporting (since the device ID is embedded in the DNS request)
Single Sign-On is an authentication protocol that allows users to sign into different software systems using a single identity. This identity is provided by third-party identity providers like Okta, OneLogin, or Azure AD.
The application you’re trying to authenticate with sets up a trust relationship with the identity provider that already has your authentication credentials. A certificate shared by the identity platform and the software you’re trying to access is used to sign identity information being shared by the two systems.
Active Directory and single sign-on (SSO) are different. Active directory is an on-prem directory service or cloud-based using Azure AD. SSO a cloud-based, web app identity extension point solution. SSO is an identification/authentication service while Active Directory is a full-fledged users and resources management technology
We support a lot of SSO providers, ensuring that setting up SSO on your own is easy and straightforward.
Account owners can simply enter their OAuth 2.0 credentials from an IdP in the SINGLE SIGN-ON section of the SETTINGS page of their DNSFilter account. Once the values have been entered correctly, SSO can be turned on.
Cryptojacking is a malicious form of mining cryptocurrency, sometimes referred to as simply cryptomining malware. Victims of cryptojacking experience the unauthorized takeover of their computer or network so the hackers can “mine” cryptocurrency. Compared to other malicious domain techniques leveraged by threat actors, cryptojacking is relatively new.
While traditional cryptocurrency miners will use their own resources to “mine” for new cryptocurrency, cryptojackers will actually infect a distributed network of computers with malware to utilize another’s computational bandwidth. This slows down the device and, at scale, drives up energy costs.
The targets of cryptojacking attacks can be individuals, or whole organizations where hackers infiltrate and enlist masses of computational resources for their own mining operations. It’s a way for threat actors to increase the size of their cryptowallets without having to pay the energy or resource costs with their own equipment.
In our 2021 Domain Threat Report, we took a close look at cryptocurrency and cryptojacking domains and found high volumes of copycat phishing domains for Bitcoin and cryptojacking domains heavily using the terms Ethereum, Dogecoin, and Litecoin. Many of these cryptojacking sites actually used a variation of the term “mining” in the name of the domain—nearly 19% of all cryptojacking sites identified on our network during the pandemic.
DNSFilter has a robust catalog of known cryptojacking sites, and domains that contain cryptocurrency references can be blocked in a single click.
We also provide our users the ability to block new domains and malware for a blanketed approach to mitigating all malicious cryptomining activity that could be activated at your organization at the DNS layer.
Cryptocurrency made a comeback in 2020, and that had a ripple effect. It wasn’t just investments that were impacted—security was majorly impacted because threat actors saw a new window for compromise.
Ransomware payments are made with cryptocurrency, as they are on the blockchain anonymously and cannot be traced. Because cryptocurrency marketplaces are popular right now, with many investors buying multiple coins, threat actors have chosen to create typosquatting and phishing domains for different cryptocurrencies.
And finally, malicious cryptomining is on the rise as cryptocurrency miners seek to make money, without investing directly in the currencies and without using their own resources.
Cryptojacking will continue to grow, as will other cryptocurrency-related threats.
DNS poisoning. DNS cache poisoning. DNS spoofing. Many names for the same thing: A way for threat actors to insert false DNS records to route traffic intended for a legitimate domain to a fake one. It's called “poisoning” because the false entry (the poison) is injected into the system at a single point and can spread throughout the system, affecting other points. This results in the end user attempting to access a usually safe site, like twitter.com, and getting redirected to the spoofed version. Often, you're taken to a login page where you're asked to submit credentials. In this scenario, you're giving away your Twitter account to the attacker. Once the attacker harvests your login credentials, they redirect you to the original Twitter website to continue your session.
Unfortunately, a good DNS poisoning attack will go completely unnoticed to the end user. There will be no visible differences between a real Twitter login page and the spoofed one. This allows the attacker to take advantage of the user’s ignorance to steal sensitive information. Another way a DNS poisoning attack can appear to an end user is when the domain refuses to load. This is done by attackers to frustrate the users of a service or cause harm to the business of that service. The attacker can substitute the IP address of the original domain with one that is not publicly accessible or simply spoof a “Not Found” page. Governments like China have also been known to spoof domains on their global block lists. In most of these cases, the end-user will likely never know they were the victim of DNS cache poisoning.
There are multiple actions you can take to prevent DNS poisoning. - Implement DNSSEC: DNSFilter fully supports DNSSEC, but proper configuration is key.
- Disable Dynamic DNS: While not everyone is able to disable Dynamic DNS because of their ISP, disabling it or never implementing it is another way to mitigate DNS poisoning.
- Encrypt DNS data: We support both DNS-over-HTTPS and DNS-over-TLS. And of course, you should run regular system updates to ensure you have no newly detected vulnerabilities.
DNS tunneling is a strategy used by black hats to create a covert channel into a victim’s computer or organization’s network. The channel created provides a means of encapsulating a malicious payload within DNS queries to take advantage of the relatively unrestricted flow of DNS traffic—especially in scenarios where almost all other traffic is restricted. DNS tunneling can be detected by performing DNS query analysis or traffic analysis, for example, analyzing the frequency of DNS traffic against a normal traffic benchmark within the network. When anomalies in query count and frequency are detected, a DNS tunneling attack is most likely in effect.
The covert channel created by a DNS tunnel is similar to a criminal breaking into a house: The potential damage they can cause is only limited by their imagination. A common use of DNS tunneling is data exfiltration, a process in which attackers steal information from the victim’s computer. Another use of DNS tunneling is to establish remote access to a victim’s computer or network allowing the attacker to execute malicious commands or install malware. DNS tunneling can also be used in releasing a worm into an organization’s network. This worm can be used to introduce ransomware or to shut down an organization’s business activities.
Having a DNS security platform to filter your DNS requests is one battle-tested solution that can help prevent DNS tunneling attacks. Because DNS tunneling uses DNS queries to establish a malicious connection with the attacker’s computer, monitoring, detecting, and blocking malicious queries proves to be very effective in combating these types of attacks. DNSFilter uses the following strategies to detect and block DNS tunneling attacks:
-Detect phishing attacks that can lead to the installation of malware
-Each time a DNS server receives a DNS request, it is compared against a block list of known malicious domains
-Detection of Domain Generation Algorithms (DGAs) used by attackers to generate random domains for attacks
-Detect unusual DNS traffic patterns
And of course, you should run regular system updates to ensure you have no newly detected vulnerabilities.
“Malware” is short for “malicious software” meant to harm or exploit a service, network, or device usually for financial gain. These malicious attacks can be used to exfiltrate data that can then be sold on the darkweb, to hold the data ransom (as in ransomware attacks), or in the outright destruction of valuable data.
Ransomware, malvertising, worms, spyware, viruses, trojans—malware is a broad term that includes all of these threat types and more.
Because of the wide range of possible malware attacks, downtime and costs can vary dramatically. However, the average cost of a malware attack on a company is $2.6 million according to Accenture.
Malware can spread through a variety of avenues. One of the most effective ways of deploying malware is to host it as a forced-download on a website domain and promote it through a phishing or social engineering attack. Standing up malicious URLs is an incredibly easy and effective way to spread malware. The threat actors usually take advantage of existing sites and hack them to host their malware.
Once someone unknowingly downloads any type of malware, it will usually “callback” to a host server for further instructions. It does this via DNS, and these “callback” signals can be blocked if DNS security is in place. The instructions the malware receives will depend on what type of malware it is: Ransomware, spyware, adware, virus, etc.
Sometimes the malware will act immediately to make itself known, while other times it might stay on your device or network and quietly gather data for a long period of time.
All organizations need to be prepared for a malware attack. Robust backups, application layer encryption, training, anti-virus, password managers, and multi-factor authentication will all aid you in the fight against malware. But one of the best ways to combat a malware attack is to block threats at the DNS layer.
DNS security not only blocks domains hosting malware, but will also stop “callbacks” from malware to host servers. This disables the ability for malicious software to be deployed and take over your computer in the event a malware package is deployed on your computer.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep you and your employees safe.
No one is safe from a phishing attack. Phishing is a type of social engineering attack where someone tries to trick the user into revealing information. This is most often done via malicious websites and emails. Email phishing happens when an email from a sender appears to come from someone you know, but it's actually from a malicious actor. It could be an email from your bank, for example, but what you don't know is that the email actually came from a fake email account and not your bank. The goal of the phisher is to trick you into giving up your login credentials—or any other sensitive information—by clicking on links or downloading attachments that contain malware. Phishers who send out spear phishing emails go a step further and target specific individuals or businesses instead of sending out mass emails indiscriminately. The goal is usually to steal data from those individuals or businesses. The hackers might trick someone into wiring money to them, or they might create a fake form to capture credit card or banking info. The possibilities are endless, but the main goal in all of this is deception.
Phishing is one of the most common tactics used by hackers to gain access to data. Large organizations are often targeted with spear phishing campaigns that are personalized for the company’s security team.
Spear phishing campaigns are harder to detect because they require more time, effort, and resources on behalf of the sender. Hackers are clever in their spear phishing emails, fake ads, or social campaigns. They learn things about your role or you as an individual, and use that as a way to gain your trust and pull off their scheme. Small businesses are also at risk of spear phishing attacks. Common targets include small business owners or managers who have access to company bank accounts or W-2 information. These small companies may not have any cybersecurity measures in place which makes them easy targets for hackers looking for sensitive information without raising suspicion. Phishing attacks have moved from targeting individuals to going after organizations. While large companies with resources are a lucrative target, 1 in 4 data breaches in the US in 2020 involved a small company. Every organization, no matter the size, is at risk.
New domains are the biggest threats when it comes to phishing attacks. These attacks are often assembled quickly from kits, meaning it’s easy for hackers to get new sites up as their old ones are taken down. Old methods, like a list of threat feeds, isn't enough to combat phishing.
With DNS Security, phishing attacks can be prevented by filtering out malicious websites that have never even been seen before.
Every new link you encounter in the course of the day has the possibility of being a phishing website or other malicious site—especially sites that have only been registered in the last 30 days. You can protect your company and your employees by implementing PDNS and blocking new and uncategorized domains, in addition to known phishing sites.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep your entire organization safe.
Traditional ransomware is a type of malware that renders a device (or files and applications on that device) unusable unless the owner pays a ransom to hackers. The device owners are then in the difficult position of either choosing to pay the ransom in exchange for a decryption key (without a clear guarantee they will receive the decryption key) or revert systems to backups and avoid paying the ransom altogether.
However in some cases, backups may be impacted or companies may not have robust enough backups to restore all of their systems.
Getting fully back online after a ransomware attack can take days or even months. In the midst of a ransomware attack, as the organization decides between paying the ransom or rebuilding their systems, many companies need to rely on paper files. Hospitals and government agencies are particularly vulnerable to ransomware attacks, impacting critical systems that may directly result in fatalities.
One major way ransomware is spread is through malicious URLs. These URLs can be shared in emails, SMS text messages, on chat forums like Discord or Slack—even in advertising campaigns on reputable websites.
These websites can host drive-by-downloads where just visiting a site force-downloads malicious software onto your computer that will initiate a ransomware attack.
Phishing campaigns and social engineering are also responsible for spreading ransomware. Fake social media accounts or too-good-to-be-true deals will often point users to malicious URLs, forcing malware downloads. Phishing emails are responsible for 54% of ransomware infections.
Another way ransomware can spread is through malicious attachments, which sometimes will trigger a DNS request.
It’s important that every organization be prepared for a ransomware attack. Robust backups, application layer encryption, training, anti-virus, password managers, and multi-factor authentication will all aid you in the fight against ransomware. But one of the best ways to combat a ransomware attack is to block threats at the DNS layer.
DNS security not only blocks domains hosting ransomware, but will also stop “callbacks” from malware to host servers. This disables the ability for ransomware to be deployed and take over your computer in the event a ransomware package is deployed on your computer.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep you and your employees safe.
Most DNS security setups that validate DNS records (DNS Security Extensions, DNSSEC), or encrypt DNS traffic for protection against malicious eavesdropping (DNS-over-TLS/ DoT or DNS-over-HTTPS/DoH) do not address the trustworthiness of upstream DNS infrastructure that may be compromised or maliciously provisioned. PDNS addresses these concerns by using an external DNS resolver that implements standard protective DNS policies. One of the main functions of the resolver is to examine the domain name queries and the returned IP addresses against threat intelligence. This way, the resolver can help prevent connections to known and suspected malicious domains. Protective DNS (PDNS) operates as a service and is not itself a DNS protocol.
DNS is at the heart of internet operations, but it is not built with security out of the box. Because of this, malicious actors find it attractive to design attacks around the protocol.
These attacks can lead to data exfiltration from compromised hosts, installation of malicious software, the spread of network worms, and ransomware.
Cybersecurity teams, in looking to strengthen the safety of company networks, leverage PDNS to secure an ever-expanding collection of devices, access points, and users. Proper DNS protection offers a zero-trust security solution for any end-user accessing the internet on your network. These services create a secure environment requiring no action or training on your end.
Following the joint statement, the NSA and CISA also released a report listing the guidelines for selecting a Protective DNS provider. These criteria, though not exhaustive, are considered to be the most important attributes to look out for when choosing a Protective DNS provider. The list below shows how DNSFilter satisfies the requirements stated in the report:
-Blocks Malware Domains
-Blocks Phishing Domains
-Malware Domain Generation Algorithm (DGA) Protection
-Leverages machine learning or other heuristics to augment threat feeds
-Content filtering
-Supports API access for SIEM integration or custom analytics
-Web Interface dashboard
-Validates DNSSEC
-DoH/DoT capable
Threat actors use typosquatting because they're relying on internet users to make mistakes. You'll mistype a domain name and find yourself on a site that looks like the one you wanted to land on anyway. If you looked closely at the URL you entered, you'd likely realize the mistake. But the goal here is to look identical to the original site it is mimicking. Typosquatting domains are traditionally used in phishing attacks. Amazon, Microsoft, and banking sites are popular victims of typosquatted phishing domains because they can direct users to login pages they're familiar with and steal their valuable credentials. Other uses for typosquatting include spreading malware. By using a familiar domain name (often swapping the TLD .com for .info or .top), they can bypass advertiser restrictions and trick end users. These ads often lead to malware, also known as malvertising. Typosquatting domains may also be used to sell knockoff brands (like Addidas). The possibilities for these copy cat domains are nearly endless, and hackers are using the ability to capitalize on typos to their advantage.
Phishing is one of the most common tactics used by hackers to gain access to data. And typosquatting plays an important role in phishing. Large organizations are often targeted with spear phishing campaigns that are personalized for the company’s security team. Threat actors will register domains similar to technology used by those companies, or similar in name to the company itself. Depending on the attack, it might come from m1cr0soft[dot]com (similar to a vendor you might use) or company-name-here[dot]info (a copy cat version of your own domain name). Phishing attacks have moved from targeting individuals to going after organizations. That's part of why typosquatting has become important to phishers: They're targeting professionals with some cybersecurity awareness. They need to do everything they can to go undetected. While large companies with resources are a lucrative target, 1 in 4 data breaches in the US in 2020 involved a small company. Every organization, no matter the size, is at risk.
New domains are the biggest threats when it comes to phishing and typosquatting attacks.
With DNS Security, typosquatting domains can be blocked by filtering out malicious websites that have never even been senen before.
Every new link you encounter in the course of the day has the possibility of being a phishing website or other malicious site—especially sites that have only been registered in the last 30 days. You can protect your company and your employees by implementing PDNS and blocking new and uncategorized domains, in addition to known phishing sites.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep your entire organization safe.
A zero-day threat is an attack that has not been seen before and does not match any known malware signatures. It is referred to as a "zero-day" threat because once the flaw is eventually discovered, the developer or organization has "zero days" to then come up with a solution.
By securing your DNS traffic which uses machine learning to perform deep inspection of DNS traffic, achieving greater threat coverage.
Our Sync Tool enables you to scale up to 500,000 Active Directory users. As your team grows, we have the scale to support you. DNSFilter also provides detailed information on sync logs, including any errors that may have occurred during a sync. We also give you more than one viewing mode and a free text search in the logs.
Apply policies at the group and user level. More versatility means more ways to implement a policy. There are seven different layers in our policy hierarchy. If you have an employee who needs to be exempt from their department filtering policy, you can create a custom policy just for them. Or, you can keep it simple and apply the policies at the group level—your deployment will fit your use case.
After a five-minute setup, your Active Directory will be synced with DNSFilter. Any changes you make to your on-premise or cloud AD will be reflected in your DNSFilter dashboard—this includes syncing of dynamic groups. So if someone moves from the IT department to the sales department, you won’t need to manually change their policy or push any changes—everything will be reflected in your instance.
You want to see your Active Directory instance reflected in DNSFilter, but do you want to be completely tied to it? Choose between the manual or managed options for policy enforcement depending on your preference. Do you want total control, or do you want to rely heavily on Active Directory? You’ll have complete flexibility.
Reclaim your valuable time and let computers do the repetitive tasks. Zapier allows for connectivity between thousands of applications you use every day, including DNSFilter.
Get notified when an organization or site is added or deleted from your account. Trigger an action or receive a notification whenever a roaming client or relay is added or removed from your account. Set up alerts that let you know whenever one of your users hits a page block. And automatically trigger workflows for when they request access to content currently blocked by your DNSFilter policy. Make sure your account is secure. Get alerts whenever any of your users disable multi-factor authentication.
Integrate with thousands of applications such as:
-Slack
-Office 365 (O365)
-Gmail
-Jira
-ConnectWise
-Zendesk
-Xero
-Salesforce
-and More!
When a customer signs up for Cisco Umbrella, they face a slew of challenges. The first, and the one we hear repeatedly from our customers and prospects, is the total lack of support for the product. When you have an issue with Cisco Umbrella, it can be nearly impossible to get a hold of someone. This leads to impacted Cisco customers without any DNS security for large chunks of time. The Cisco UI/UX is not intuitive and takes a more technical individual to implement the setup. This means you might need senior technical resources to take on a deployment they don’t have time for, as opposed to passing it over to a more junior engineer. Not to mention, within the Cisco Umbrella UI it is difficult to find things and some things are in multiple places, making it even harder to maintain a sense of where things are and where you can update them. Other common Cisco challenges customers endure are long contracts that lock you in, no investment or innovation on the product (the UI has not evolved very much since its OpenDNS days), and a slower anycast network.
Cisco Umbrella (previously OpenDNS) is a cloud-based DNS security solution, similar to DNSFilter. Umbrella provides basic needs to manage web filtering, includes rudimentary firewall style features like SSL decryption, and has integrations with high value platforms platforms like Connectwise PSA and S3 for log export. However, Cisco Umbrella is not as effective at blocking threats as DNSFilter, is harder to deploy, and has not continued to optimize the product over time.
Cisco Umbrella began as OpenDNS in 2008 as the first cloud-based protective DNS service. OpenDNS was purchased by Cisco in 2014. The name OpenDNS is now used for free filtering for home and families. It has different settings to block threats and/or adult categories compared to its Cisco Umbrella counterpart. To complicate the matter, OpenDNS does have a Home VIP and Umbrella Prosumer paid plan that offers more control over the settings—however this plan is mostly made up of older OpenDNS customers who have been grandfathered in.
Pricing is largely unknown with Cisco Umbrella because there is no public pricing available and all deals require communication with the sales team. Some reports have shown ~ $2.20 per user with a 100 user minimum, but that is mostly speculation. DNSFilter's pricing is $1 per user, with a minimum spend of $20 per month. Discounts are available for MSPs and Education. All pricing is clear on the public website.
The biggest difference between DNSFilter and Cisco Umbrella is the efficacy of DNSFilter's domain classification, which relies on our AI Webshrinker. Further, DNSFilter has an approachable company culture, and customers are involved in our decision making process of which features to implement. We have a transparent pricing model displayed on our public website and our support team is incredibly responsive compared to Cisco's. DNSFilter also offers more whitelabeling options for MSPs.
Creating a universal block list enables you to save time by creating blanketed protection outside of more-granular policies. It’s a definitive way to know that a harmful or inappropriate site will not be accessed across your organization.
Situations where domains fall into a gray area based on certain policies may sometimes be blocked accidentally, creating a hindrance to the business. Configuring an allow list ensures domains necessary for business to continue and run smoothly can be accessed.
Typosquatting domains take advantage of typos of a brand's name to launch a threat. If you've ever typo'd a domain (like amazan.com) or wound up on a longtail URL using a popular company name (like twitter-plugins-buy-here-now[dot]domain), you've likely encountered a typosquatting domain.
Currently we recommend non-profits utilize our Pro plan. This provides great protection at an affordable price. We do offer cost-breaks for larger organizations. Contact sales@dnsfilter.com to learn more.
Yes, DNSFilter provides the easiest CIPA compliance on the market. With just one click, you can block all content necessary to become CIPA compliant and become eligible for e-rate funding. Learn more here: https://fltr.ai/4H-f
Yes! With DNSFilter, you will be able to implement DNS security anywhere in the world—particularly when you use our Roaming Clients deployment. We provide three different methods of implementation based on your needs, meaning you can get DNS protection at all of your locations and when you leave the office.
Yes. Our team can walk you through network deployment. Contact us at sales@dnsfilter.com to set up an initial discovery call.
Yes. We have a detailed integration guide for this use case. Contact us at sales@dnsfilter.com to set up an initial discovery call.
Yes, each partner commits to spend a minimum of $50 each month on user licenses.
Partners receive a discount based on volume. Detailed pricing will be sent to you after trial signup.
Start with a free trial. Select MSP/ISP as your industry during your free trail signup. A link to the partner program application is available under the main navigation in the dashboard if you select MSP as your industry during signup. Use this link directly for any industry (https://app.dnsfilter.com/settings/billing-info/partner-program). Complete the form and after our review of your application and approval into the program, you can access the multi-tenant/MSP dashboard. Feel free to test policies and deployments in the single organization account created on signup but note that transferring policies, sites, and roaming clients to other sub organizations after partner activation is not possible A sub organization matching the name of the MSP account is available for internal use and/or testing
DNSFilter is AI-based threat protection that stops threats at the DNS level. N-able partnered with DNSFilter because of our robust threat protection against phishing, ransomware, and zero-day attacks. DNSFilter is the fastest DNS resolver in North America and identifies threats as early as 7 days ahead of other threat feeds.
N-able customers can now access DNS threat protection within their RMM tool. Talk to your N-able rep about adding DNSFilter to your current RMM or N-central product suite: dnsfilter_sales@solarwinds.com
For access to our REST API, you need to have a professional subscription to DNSFilter, which is a $50 monthly minimum.
Yes, we do.
Yes. DNSFilter has a multi-tenant whitelabel option. Please contact us directly so we can talk through your whitelabeling use case.
OIDC compatible single sign on, on-prem Active Directory, Azure Active Directory, SIEMs (via Splunk style HEC API), Amazon S3 data export, and Zapier.
483 million total domains are categorized. We scan 3 million domains and process 1 trillion DNS requests daily.
IAB categories are far more detailed. There are 26 major categories and 366 total sub-categories. IAB categories are most useful for detailed information about the purpose of a particular domain. They are often used by AdTech companies who need detailed IAB information on each site. Additional information is also returned via API request for IAB categories. In addition to the category and sub category you will receive a confidence score. Our categories represent the most common categories of sites. They are useful for creating content filters or parental controls and blocking major threats when a high level of site granularity is not required for reporting.
Domain classification confidence scores range from 0.0 (not confident) to 1.0 (very confident/manually classified). We consider anything above .006 to be “fairly confident.” Confidence scores are only returned for those who select to receive IAB categories.
Updates to your policy are reflected on device in seconds. Browser and operating system caching can prolong a policy update so take measures to conform to your security needs.
If you want to truly block Discord to increase end user productivity (and not to mention increase security by blocking a site that is known for being a magnet for phishing attacks), this means you need to stay on top of any new domains that Discord starts using. The number might start small, only six, but as these companies grow they continue to add more domains. We’ve seen applications with thousands associated domains. If you wanted to block Microsoft domains, Bing alone has over 50,000 associated domains—and that’s not even taking into account all of Microsoft’s other applications you might want to manage and block. AppAware gives you the power to block what you need to without adding to your workload.
Some might view VPNs as harmless tools used for remote office file access, but they’re also heavily used to bypass content filtering. Over half a million queries to VPN-related domains occur on our network daily, with only 10% of these attempts blocked. However, of the blocked access attempts, 85%are because a security filter was enabled. When your users bypass the DNS security you have in place, you increase the likelihood that a threat will take hold of that device and possibly extend to the rest of your organization. Now you can choose from seven VPN and proxy applications to block once and for all.
Peer-to-peer filesharing sites like the Pirate Bay, BitTorrent, and uTorrent are notorious for infecting computers with malware. Because the user on the other end providing you with content is external to your network, they should not be inherently trusted. This goes for professional applications such as Dropbox as well. What is hosted on these sites and shared isn’t always inspected and deemed secure—leaving your network open to compromise.
Appaware is a next-generation application-blocking tool that enables organizations to seamlessly block common security threats. AppAware allows users to have real-time visibility of application activity on their network, as well as taking immediate and proactive actions to block apps which do not align with their internal policies. AppAware is available to all Enterprise, Pro+, and MSP customers.
With AppAware, organizations can block over 100 high-risk applications—including filesharing, remote desktop and high-risk messaging apps—with a single click and instantly gain insights into the usage of every application across the network.
Content filtering is the act of blocking unwanted web content and allowing “appropriate” or “favorable” content to be visitable. Content filtering can be enabled via software or hardware. The sorting of content into “good” and “bad” is made possible through website categorization. Without the ability to categorize a website, content filtering is not possible.
Unlike URL filtering, DNS filtering blocks domains. But more than that, it actually prevents domains from resolving. This is because when a DNS request is sent and the IP address is received by the DNS resolver, it doesn’t even send that information back to the end user. While content filtering at the DNS level means all pages on a website are blocked, it is much more secure for the end user.
Content filtering isn’t just about blocking disturbing, pornographic, or gambling sites. It’s also about blocking sites that are deemed a cybersecurity threat.
Our Data export feature allows users to export query log data to be utilized by a Security Information and Event Management (SIEM) or other tool of their choice. Exporting DNSFilter data allows an organization to aggregate relevant data from multiple sources and then take action.
DNSFilter's Data Export supports Amazon S3 buckets and also Splunk. Many SIEMs are able to pull data from an S3 bucket enabling many tools to access the exported data from DNSFilter.
At DNSFilter we use our proprietary AI tool, Webshrinker, to continuously scan more than 180,000,000 websites and determine their purpose and content type. We flag sites that potentially contain malware, ransomware, malvertising, or scams, and then allow our customers to block them. This creates a first-line-of-defense by between a click from a user, and serving the harmful page. Additionally, we allow for one-click blocking of domains less than 30 days old.
DNS filtering gives you the ability to filter bad or unwanted content at the DNS level. DNS filtering works by categorizing every single domain you attempt to access and cross-referencing those categorizations and domain names with policies you've determined you want to block.
DNS filtering is defensive software that prevents cybersecurity threats by following simple logic: if a website has something potentially dangerous within it, DNS filtering blocks a user from visiting it in the first place. It’s a zero-trust solution that leaves nothing to chance.
Given its versatility, DNS filtering offers users advanced customization features. Depending upon the needs of your organization, you can choose which types of content are permissible and which to block, specific to your company’s needs. In addition, by enabling DNS-based web filtering, you safeguard your users against malicious content. Let’s take a look at the four main benefits of filtering DNS.
The Domain Name System Security Extensions is a security system that helps verify the origin and integrity of data moving back and forth in a DNS resolution process. Similar to how TLS/SSL works, DNSSEC uses a public/private key pair to cryptographically verify and authenticate DNS data.
With DNSSEC, every DNS request is signed and verified to protect you from exploitation, protecting your brand. DNSSEC verifies the authenticity of the parties involved in a DNS request, prevents DNS cache poisoning and makes DNS data tamper-proof.
Unfortunately, a good DNS poisoning attack will go completely unnoticed to the end user. There will be no visible differences between a real Twitter login page and the spoofed one. This allows the attacker to take advantage of the user’s ignorance to steal sensitive information. Having DNSSEC implemented (and implemented properly) will help prevent these attacks
Simplified UI consolidates multiple reports in a single view. Perform comparison of historical activity across all roaming computers and network sites. Easily see your entire DNS footprint (how many roaming clients and networks are deployed). Drill down to explore the DNS traffic from specific users and computers.
Agent counts, Server’s geolocation, User reports, Roaming client reports and Domain reports
Insights reporting is the simplest way for customers to analyze their DNS query data. Insights reporting provides you with as much detail as you need to uncover anomalies and learn more about your individual network.
A Roaming Client is a tiny piece of software that is installed on a device, where it always runs in the background. It’s primary job is to do two things 1) Ensure all device DNS requests go to DNSFilter where they can be protected and filtered and 2) Embeds the device identity in the DNS requests
In short, any device! Roaming clients can be installed on Windows, Mac, Chrome, iOS or Android devices. Due to Apple policies, iOS devices must be in “Supervised Mode” which means they won’t work with “Bring your own device” setups.
Customers primarily use Roaming Clients to ensure that devices are protected and filtered when they leave your secure network, enforce device level policies (like different policies for IT managers or executives) and to get device level reporting (since the device ID is embedded in the DNS request)
Single Sign-On is an authentication protocol that allows users to sign into different software systems using a single identity. This identity is provided by third-party identity providers like Okta, OneLogin, or Azure AD.
The application you’re trying to authenticate with sets up a trust relationship with the identity provider that already has your authentication credentials. A certificate shared by the identity platform and the software you’re trying to access is used to sign identity information being shared by the two systems.
Active Directory and single sign-on (SSO) are different. Active directory is an on-prem directory service or cloud-based using Azure AD. SSO a cloud-based, web app identity extension point solution. SSO is an identification/authentication service while Active Directory is a full-fledged users and resources management technology
We support a lot of SSO providers, ensuring that setting up SSO on your own is easy and straightforward.
Account owners can simply enter their OAuth 2.0 credentials from an IdP in the SINGLE SIGN-ON section of the SETTINGS page of their DNSFilter account. Once the values have been entered correctly, SSO can be turned on.
Cryptojacking is a malicious form of mining cryptocurrency, sometimes referred to as simply cryptomining malware. Victims of cryptojacking experience the unauthorized takeover of their computer or network so the hackers can “mine” cryptocurrency. Compared to other malicious domain techniques leveraged by threat actors, cryptojacking is relatively new.
While traditional cryptocurrency miners will use their own resources to “mine” for new cryptocurrency, cryptojackers will actually infect a distributed network of computers with malware to utilize another’s computational bandwidth. This slows down the device and, at scale, drives up energy costs.
The targets of cryptojacking attacks can be individuals, or whole organizations where hackers infiltrate and enlist masses of computational resources for their own mining operations. It’s a way for threat actors to increase the size of their cryptowallets without having to pay the energy or resource costs with their own equipment.
In our 2021 Domain Threat Report, we took a close look at cryptocurrency and cryptojacking domains and found high volumes of copycat phishing domains for Bitcoin and cryptojacking domains heavily using the terms Ethereum, Dogecoin, and Litecoin. Many of these cryptojacking sites actually used a variation of the term “mining” in the name of the domain—nearly 19% of all cryptojacking sites identified on our network during the pandemic.
DNSFilter has a robust catalog of known cryptojacking sites, and domains that contain cryptocurrency references can be blocked in a single click.
We also provide our users the ability to block new domains and malware for a blanketed approach to mitigating all malicious cryptomining activity that could be activated at your organization at the DNS layer.
Cryptocurrency made a comeback in 2020, and that had a ripple effect. It wasn’t just investments that were impacted—security was majorly impacted because threat actors saw a new window for compromise.
Ransomware payments are made with cryptocurrency, as they are on the blockchain anonymously and cannot be traced. Because cryptocurrency marketplaces are popular right now, with many investors buying multiple coins, threat actors have chosen to create typosquatting and phishing domains for different cryptocurrencies.
And finally, malicious cryptomining is on the rise as cryptocurrency miners seek to make money, without investing directly in the currencies and without using their own resources.
Cryptojacking will continue to grow, as will other cryptocurrency-related threats.
DNS poisoning. DNS cache poisoning. DNS spoofing. Many names for the same thing: A way for threat actors to insert false DNS records to route traffic intended for a legitimate domain to a fake one. It's called “poisoning” because the false entry (the poison) is injected into the system at a single point and can spread throughout the system, affecting other points. This results in the end user attempting to access a usually safe site, like twitter.com, and getting redirected to the spoofed version. Often, you're taken to a login page where you're asked to submit credentials. In this scenario, you're giving away your Twitter account to the attacker. Once the attacker harvests your login credentials, they redirect you to the original Twitter website to continue your session.
Unfortunately, a good DNS poisoning attack will go completely unnoticed to the end user. There will be no visible differences between a real Twitter login page and the spoofed one. This allows the attacker to take advantage of the user’s ignorance to steal sensitive information. Another way a DNS poisoning attack can appear to an end user is when the domain refuses to load. This is done by attackers to frustrate the users of a service or cause harm to the business of that service. The attacker can substitute the IP address of the original domain with one that is not publicly accessible or simply spoof a “Not Found” page. Governments like China have also been known to spoof domains on their global block lists. In most of these cases, the end-user will likely never know they were the victim of DNS cache poisoning.
There are multiple actions you can take to prevent DNS poisoning. - Implement DNSSEC: DNSFilter fully supports DNSSEC, but proper configuration is key.
- Disable Dynamic DNS: While not everyone is able to disable Dynamic DNS because of their ISP, disabling it or never implementing it is another way to mitigate DNS poisoning.
- Encrypt DNS data: We support both DNS-over-HTTPS and DNS-over-TLS. And of course, you should run regular system updates to ensure you have no newly detected vulnerabilities.
DNS tunneling is a strategy used by black hats to create a covert channel into a victim’s computer or organization’s network. The channel created provides a means of encapsulating a malicious payload within DNS queries to take advantage of the relatively unrestricted flow of DNS traffic—especially in scenarios where almost all other traffic is restricted. DNS tunneling can be detected by performing DNS query analysis or traffic analysis, for example, analyzing the frequency of DNS traffic against a normal traffic benchmark within the network. When anomalies in query count and frequency are detected, a DNS tunneling attack is most likely in effect.
The covert channel created by a DNS tunnel is similar to a criminal breaking into a house: The potential damage they can cause is only limited by their imagination. A common use of DNS tunneling is data exfiltration, a process in which attackers steal information from the victim’s computer. Another use of DNS tunneling is to establish remote access to a victim’s computer or network allowing the attacker to execute malicious commands or install malware. DNS tunneling can also be used in releasing a worm into an organization’s network. This worm can be used to introduce ransomware or to shut down an organization’s business activities.
Having a DNS security platform to filter your DNS requests is one battle-tested solution that can help prevent DNS tunneling attacks. Because DNS tunneling uses DNS queries to establish a malicious connection with the attacker’s computer, monitoring, detecting, and blocking malicious queries proves to be very effective in combating these types of attacks. DNSFilter uses the following strategies to detect and block DNS tunneling attacks:
-Detect phishing attacks that can lead to the installation of malware
-Each time a DNS server receives a DNS request, it is compared against a block list of known malicious domains
-Detection of Domain Generation Algorithms (DGAs) used by attackers to generate random domains for attacks
-Detect unusual DNS traffic patterns
And of course, you should run regular system updates to ensure you have no newly detected vulnerabilities.
“Malware” is short for “malicious software” meant to harm or exploit a service, network, or device usually for financial gain. These malicious attacks can be used to exfiltrate data that can then be sold on the darkweb, to hold the data ransom (as in ransomware attacks), or in the outright destruction of valuable data.
Ransomware, malvertising, worms, spyware, viruses, trojans—malware is a broad term that includes all of these threat types and more.
Because of the wide range of possible malware attacks, downtime and costs can vary dramatically. However, the average cost of a malware attack on a company is $2.6 million according to Accenture.
Malware can spread through a variety of avenues. One of the most effective ways of deploying malware is to host it as a forced-download on a website domain and promote it through a phishing or social engineering attack. Standing up malicious URLs is an incredibly easy and effective way to spread malware. The threat actors usually take advantage of existing sites and hack them to host their malware.
Once someone unknowingly downloads any type of malware, it will usually “callback” to a host server for further instructions. It does this via DNS, and these “callback” signals can be blocked if DNS security is in place. The instructions the malware receives will depend on what type of malware it is: Ransomware, spyware, adware, virus, etc.
Sometimes the malware will act immediately to make itself known, while other times it might stay on your device or network and quietly gather data for a long period of time.
All organizations need to be prepared for a malware attack. Robust backups, application layer encryption, training, anti-virus, password managers, and multi-factor authentication will all aid you in the fight against malware. But one of the best ways to combat a malware attack is to block threats at the DNS layer.
DNS security not only blocks domains hosting malware, but will also stop “callbacks” from malware to host servers. This disables the ability for malicious software to be deployed and take over your computer in the event a malware package is deployed on your computer.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep you and your employees safe.
No one is safe from a phishing attack. Phishing is a type of social engineering attack where someone tries to trick the user into revealing information. This is most often done via malicious websites and emails. Email phishing happens when an email from a sender appears to come from someone you know, but it's actually from a malicious actor. It could be an email from your bank, for example, but what you don't know is that the email actually came from a fake email account and not your bank. The goal of the phisher is to trick you into giving up your login credentials—or any other sensitive information—by clicking on links or downloading attachments that contain malware. Phishers who send out spear phishing emails go a step further and target specific individuals or businesses instead of sending out mass emails indiscriminately. The goal is usually to steal data from those individuals or businesses. The hackers might trick someone into wiring money to them, or they might create a fake form to capture credit card or banking info. The possibilities are endless, but the main goal in all of this is deception.
Phishing is one of the most common tactics used by hackers to gain access to data. Large organizations are often targeted with spear phishing campaigns that are personalized for the company’s security team.
Spear phishing campaigns are harder to detect because they require more time, effort, and resources on behalf of the sender. Hackers are clever in their spear phishing emails, fake ads, or social campaigns. They learn things about your role or you as an individual, and use that as a way to gain your trust and pull off their scheme. Small businesses are also at risk of spear phishing attacks. Common targets include small business owners or managers who have access to company bank accounts or W-2 information. These small companies may not have any cybersecurity measures in place which makes them easy targets for hackers looking for sensitive information without raising suspicion. Phishing attacks have moved from targeting individuals to going after organizations. While large companies with resources are a lucrative target, 1 in 4 data breaches in the US in 2020 involved a small company. Every organization, no matter the size, is at risk.
New domains are the biggest threats when it comes to phishing attacks. These attacks are often assembled quickly from kits, meaning it’s easy for hackers to get new sites up as their old ones are taken down. Old methods, like a list of threat feeds, isn't enough to combat phishing.
With DNS Security, phishing attacks can be prevented by filtering out malicious websites that have never even been seen before.
Every new link you encounter in the course of the day has the possibility of being a phishing website or other malicious site—especially sites that have only been registered in the last 30 days. You can protect your company and your employees by implementing PDNS and blocking new and uncategorized domains, in addition to known phishing sites.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep your entire organization safe.
Traditional ransomware is a type of malware that renders a device (or files and applications on that device) unusable unless the owner pays a ransom to hackers. The device owners are then in the difficult position of either choosing to pay the ransom in exchange for a decryption key (without a clear guarantee they will receive the decryption key) or revert systems to backups and avoid paying the ransom altogether.
However in some cases, backups may be impacted or companies may not have robust enough backups to restore all of their systems.
Getting fully back online after a ransomware attack can take days or even months. In the midst of a ransomware attack, as the organization decides between paying the ransom or rebuilding their systems, many companies need to rely on paper files. Hospitals and government agencies are particularly vulnerable to ransomware attacks, impacting critical systems that may directly result in fatalities.
One major way ransomware is spread is through malicious URLs. These URLs can be shared in emails, SMS text messages, on chat forums like Discord or Slack—even in advertising campaigns on reputable websites.
These websites can host drive-by-downloads where just visiting a site force-downloads malicious software onto your computer that will initiate a ransomware attack.
Phishing campaigns and social engineering are also responsible for spreading ransomware. Fake social media accounts or too-good-to-be-true deals will often point users to malicious URLs, forcing malware downloads. Phishing emails are responsible for 54% of ransomware infections.
Another way ransomware can spread is through malicious attachments, which sometimes will trigger a DNS request.
It’s important that every organization be prepared for a ransomware attack. Robust backups, application layer encryption, training, anti-virus, password managers, and multi-factor authentication will all aid you in the fight against ransomware. But one of the best ways to combat a ransomware attack is to block threats at the DNS layer.
DNS security not only blocks domains hosting ransomware, but will also stop “callbacks” from malware to host servers. This disables the ability for ransomware to be deployed and take over your computer in the event a ransomware package is deployed on your computer.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep you and your employees safe.
Most DNS security setups that validate DNS records (DNS Security Extensions, DNSSEC), or encrypt DNS traffic for protection against malicious eavesdropping (DNS-over-TLS/ DoT or DNS-over-HTTPS/DoH) do not address the trustworthiness of upstream DNS infrastructure that may be compromised or maliciously provisioned. PDNS addresses these concerns by using an external DNS resolver that implements standard protective DNS policies. One of the main functions of the resolver is to examine the domain name queries and the returned IP addresses against threat intelligence. This way, the resolver can help prevent connections to known and suspected malicious domains. Protective DNS (PDNS) operates as a service and is not itself a DNS protocol.
DNS is at the heart of internet operations, but it is not built with security out of the box. Because of this, malicious actors find it attractive to design attacks around the protocol.
These attacks can lead to data exfiltration from compromised hosts, installation of malicious software, the spread of network worms, and ransomware.
Cybersecurity teams, in looking to strengthen the safety of company networks, leverage PDNS to secure an ever-expanding collection of devices, access points, and users. Proper DNS protection offers a zero-trust security solution for any end-user accessing the internet on your network. These services create a secure environment requiring no action or training on your end.
Following the joint statement, the NSA and CISA also released a report listing the guidelines for selecting a Protective DNS provider. These criteria, though not exhaustive, are considered to be the most important attributes to look out for when choosing a Protective DNS provider. The list below shows how DNSFilter satisfies the requirements stated in the report:
-Blocks Malware Domains
-Blocks Phishing Domains
-Malware Domain Generation Algorithm (DGA) Protection
-Leverages machine learning or other heuristics to augment threat feeds
-Content filtering
-Supports API access for SIEM integration or custom analytics
-Web Interface dashboard
-Validates DNSSEC
-DoH/DoT capable
Threat actors use typosquatting because they're relying on internet users to make mistakes. You'll mistype a domain name and find yourself on a site that looks like the one you wanted to land on anyway. If you looked closely at the URL you entered, you'd likely realize the mistake. But the goal here is to look identical to the original site it is mimicking. Typosquatting domains are traditionally used in phishing attacks. Amazon, Microsoft, and banking sites are popular victims of typosquatted phishing domains because they can direct users to login pages they're familiar with and steal their valuable credentials. Other uses for typosquatting include spreading malware. By using a familiar domain name (often swapping the TLD .com for .info or .top), they can bypass advertiser restrictions and trick end users. These ads often lead to malware, also known as malvertising. Typosquatting domains may also be used to sell knockoff brands (like Addidas). The possibilities for these copy cat domains are nearly endless, and hackers are using the ability to capitalize on typos to their advantage.
Phishing is one of the most common tactics used by hackers to gain access to data. And typosquatting plays an important role in phishing. Large organizations are often targeted with spear phishing campaigns that are personalized for the company’s security team. Threat actors will register domains similar to technology used by those companies, or similar in name to the company itself. Depending on the attack, it might come from m1cr0soft[dot]com (similar to a vendor you might use) or company-name-here[dot]info (a copy cat version of your own domain name). Phishing attacks have moved from targeting individuals to going after organizations. That's part of why typosquatting has become important to phishers: They're targeting professionals with some cybersecurity awareness. They need to do everything they can to go undetected. While large companies with resources are a lucrative target, 1 in 4 data breaches in the US in 2020 involved a small company. Every organization, no matter the size, is at risk.
New domains are the biggest threats when it comes to phishing and typosquatting attacks.
With DNS Security, typosquatting domains can be blocked by filtering out malicious websites that have never even been senen before.
Every new link you encounter in the course of the day has the possibility of being a phishing website or other malicious site—especially sites that have only been registered in the last 30 days. You can protect your company and your employees by implementing PDNS and blocking new and uncategorized domains, in addition to known phishing sites.
Take a zero-trust approach to cybersecurity, and put your company in a position to minimize the possibility of intrusion. When DNS protection is in place, it can mitigate 33% of all data breaches. It’s a lightweight but powerful layer that will keep your entire organization safe.
A zero-day threat is an attack that has not been seen before and does not match any known malware signatures. It is referred to as a "zero-day" threat because once the flaw is eventually discovered, the developer or organization has "zero days" to then come up with a solution.
By securing your DNS traffic which uses machine learning to perform deep inspection of DNS traffic, achieving greater threat coverage.
Our Sync Tool enables you to scale up to 500,000 Active Directory users. As your team grows, we have the scale to support you. DNSFilter also provides detailed information on sync logs, including any errors that may have occurred during a sync. We also give you more than one viewing mode and a free text search in the logs.
Apply policies at the group and user level. More versatility means more ways to implement a policy. There are seven different layers in our policy hierarchy. If you have an employee who needs to be exempt from their department filtering policy, you can create a custom policy just for them. Or, you can keep it simple and apply the policies at the group level—your deployment will fit your use case.
After a five-minute setup, your Active Directory will be synced with DNSFilter. Any changes you make to your on-premise or cloud AD will be reflected in your DNSFilter dashboard—this includes syncing of dynamic groups. So if someone moves from the IT department to the sales department, you won’t need to manually change their policy or push any changes—everything will be reflected in your instance.
You want to see your Active Directory instance reflected in DNSFilter, but do you want to be completely tied to it? Choose between the manual or managed options for policy enforcement depending on your preference. Do you want total control, or do you want to rely heavily on Active Directory? You’ll have complete flexibility.
Reclaim your valuable time and let computers do the repetitive tasks. Zapier allows for connectivity between thousands of applications you use every day, including DNSFilter.
Get notified when an organization or site is added or deleted from your account. Trigger an action or receive a notification whenever a roaming client or relay is added or removed from your account. Set up alerts that let you know whenever one of your users hits a page block. And automatically trigger workflows for when they request access to content currently blocked by your DNSFilter policy. Make sure your account is secure. Get alerts whenever any of your users disable multi-factor authentication.
Integrate with thousands of applications such as:
-Slack
-Office 365 (O365)
-Gmail
-Jira
-ConnectWise
-Zendesk
-Xero
-Salesforce
-and More!
When a customer signs up for Cisco Umbrella, they face a slew of challenges. The first, and the one we hear repeatedly from our customers and prospects, is the total lack of support for the product. When you have an issue with Cisco Umbrella, it can be nearly impossible to get a hold of someone. This leads to impacted Cisco customers without any DNS security for large chunks of time. The Cisco UI/UX is not intuitive and takes a more technical individual to implement the setup. This means you might need senior technical resources to take on a deployment they don’t have time for, as opposed to passing it over to a more junior engineer. Not to mention, within the Cisco Umbrella UI it is difficult to find things and some things are in multiple places, making it even harder to maintain a sense of where things are and where you can update them. Other common Cisco challenges customers endure are long contracts that lock you in, no investment or innovation on the product (the UI has not evolved very much since its OpenDNS days), and a slower anycast network.
Cisco Umbrella (previously OpenDNS) is a cloud-based DNS security solution, similar to DNSFilter. Umbrella provides basic needs to manage web filtering, includes rudimentary firewall style features like SSL decryption, and has integrations with high value platforms platforms like Connectwise PSA and S3 for log export. However, Cisco Umbrella is not as effective at blocking threats as DNSFilter, is harder to deploy, and has not continued to optimize the product over time.
Cisco Umbrella began as OpenDNS in 2008 as the first cloud-based protective DNS service. OpenDNS was purchased by Cisco in 2014. The name OpenDNS is now used for free filtering for home and families. It has different settings to block threats and/or adult categories compared to its Cisco Umbrella counterpart. To complicate the matter, OpenDNS does have a Home VIP and Umbrella Prosumer paid plan that offers more control over the settings—however this plan is mostly made up of older OpenDNS customers who have been grandfathered in.
Pricing is largely unknown with Cisco Umbrella because there is no public pricing available and all deals require communication with the sales team. Some reports have shown ~ $2.20 per user with a 100 user minimum, but that is mostly speculation. DNSFilter's pricing is $1 per user, with a minimum spend of $20 per month. Discounts are available for MSPs and Education. All pricing is clear on the public website.
The biggest difference between DNSFilter and Cisco Umbrella is the efficacy of DNSFilter's domain classification, which relies on our AI Webshrinker. Further, DNSFilter has an approachable company culture, and customers are involved in our decision making process of which features to implement. We have a transparent pricing model displayed on our public website and our support team is incredibly responsive compared to Cisco's. DNSFilter also offers more whitelabeling options for MSPs.
Creating a universal block list enables you to save time by creating blanketed protection outside of more-granular policies. It’s a definitive way to know that a harmful or inappropriate site will not be accessed across your organization.
Situations where domains fall into a gray area based on certain policies may sometimes be blocked accidentally, creating a hindrance to the business. Configuring an allow list ensures domains necessary for business to continue and run smoothly can be accessed.