DNS serves as the essential entry point into the connected, online world for nearly all internet-based activities. While it opens up a wealth of opportunities, it also introduces unique challenges. This is why operators use DNS to deliver robust security and protection measures for their users.
These measures often include protection against malware, phishing, and other malicious activities, as well as parental controls to ensure safer browsing experiences. Additionally, DNS can proactively block sophisticated attacks such as botnet activations, device takeovers through command-and-control (C2) attacks, and Distributed Denial of Service (DDoS) attacks. By filtering DNS traffic, operators can intercept malicious content before it reaches users’ devices or compromises their networks.
DNS filtering in PowerDNS solutions is often managed through DNSdist. This process has been extended with specific rules using Lua scripts, a lightweight and flexible programming language. However, this approach requires significant expertise in both Lua programming and DNS internals to implement, update, and maintain the filtering rules effectively.
To address this complexity, PowerDNS has introduced a more streamlined solution: The add-on DNSdist Defender. DNSdist Defender enhances the powerful Lua capabilities of DNSdist, offering a user-friendly and efficient way to filter malicious DNS traffic. Acting as a DNS firewall, DNSdist Defender provides comprehensive protection, including prevention of DNS tunneling and data exfiltration, mitigation of pseudo-random subdomain (PRSD) attacks, protection against DNS reflection/amplification threats, defense against device takeovers via command-and-control (C2) attempts, and easy configuration for per-subscriber rate-limiting and DDoS protection.
DNSdist Defender is designed to make DNS filtering as simple and efficient as possible for PowerDNS customers. It offers straightforward configuration with YAML files, regular updates with curated rules provided by PowerDNS, and seamless compatibility with the latest versions of DNSdist. These features ensure that operators can implement and manage advanced filtering rules without unnecessary complexity.
DNSdist Defender also caters to enterprise-specific requirements, delivering features that enhance scalability and security. For example, it supports Session Ticket Encryption Key Sharing (STEK), which enables the secure distribution of STEK keys across multiple servers. This makes TLS session resumption significantly more efficient in large web infrastructures spanning multiple servers or data centers. To enable this, DNSdist Defender uses NATS, an open-source messaging technology, for distributed communication.
For organizations with unique filtering requirements, DNSdist supports customization through the Lua Foreign Function Interface (FFI). While this native FFI delivers exceptional performance, it closely mirrors the C++ API it wraps, making it complex and challenging for non-experts to use. DNSdist Defender simplifies this by providing a fast, intuitive API layer that retains the full power of the native FFI API but offers a simplified and user-friendly syntax. By wrapping the FFI API, DNSdist Defender allows users to extend filtering rules without needing to write complex C-like code.
Please reach out to us if you would like to learn more about DNS filtering and how DNSdist Defender can help you!