DNS firewall, DNS proxy, and DNS proxywall. Which one to choose?

Domain name system (DNS)

DNS stands for "domain name system". It is a system of databases for translating textual names (domain names) of Internet server names into IP addresses which are then used for network communication.

DNS databases are located on DNS servers organized into a hierarchy. Servers respond to translation requests received from DNS clients. Computers or devices that use services of DNS servers are called DNS clients.

Communication between DNS clients and DNS servers typically uses UDP protocol port 53. UDP port 53 is a well-known port reserved for DNS communication. The use of other protocols or ports may require installation of additional software; because of that, such configurations are not commonly used.

DNS Firewall

DNS firewalls filter DNS traffic between clients and servers. They intercept traffic and block requests according to rules. DNS firewalls differ by how they intercept the network traffic and where they are located within the client-server communication path.

  1. DNS traffic is intercepted on a client computer using low-level packet capture-injection.

    Programs on the client computer are not aware of DNS traffic being intercepted and filtered. That makes it one of the most transparent techniques for local programs. From a user perspective, it is also one of the easiest DNS filtering setups and does not require much configuration. Interception can be paused and resumed without disrupting client-server communication.

  2. DNS traffic is intercepted on a client computer by redirection to a local DNS firewall which then forwards the traffic to a remote DNS server.

    DNS firewalls that support such configuration automatically change network connection settings by replacing IP addresses of DNS servers. However, other programs that rely on that configuration may stop working. Other than that, it is similar to the low-level packet capture-injection technique.

  3. DNS traffic is processed by a DNS firewall on a separate computer (server). This configuration often involves a DNS proxy working side-by-side with the DNS firewall.

    In this configuration, DNS clients send their requests to a remote DNS firewall instead of DNS servers. This setup is typically used by mobile devices due to its simplicity. The DNS firewall is consumed as a service delivered by other service providers.

    The main benefit is the separation between consumers and providers of the firewall services. Consumers do not worry about configuration or maintenance. Service providers consolidate DNS traffic on dedicated servers before forwarding it upstream. Providers can manage pools of DNS firewalls centrally and apply the same rules to all consumers. DNS clients require manual network setting changes to forward traffic to DNS firewalls.

  4. DNS traffic is intercepted on a DNS server using low-level packet capture-injection right before reaching the DNS server software.

    Here, a DNS firewall enhances server capabilities by adding a filtering layer before traffic is received by the DNS software. This configuration suits large organizations that maintain their own DNS servers. It allows co-location of the DNS server and firewall, simplifying maintenance.

  5. Virtual Private Network (VPN).

    VPNs usually have their own DNS servers. A VPN intercepts all network traffic on client computers and sends it through a tunnel to a remote VPN server. DNS traffic is intercepted together with other traffic. When the traffic reaches a VPN server, DNS queries can be passed through a DNS firewall. VPN solutions are usually the most expensive ways of filtering traffic in terms of cost and performance. Providers typically charge monthly fees. When using VPN solutions, the speed of all communication is slower (sometimes several times slower) and depends heavily on the number of concurrent users on shared servers.

DNS Proxy

A DNS proxy is typically a lightweight service that receives DNS requests and forwards them to other DNS servers. It maintains its own cache populated with information from DNS servers. Whenever a client request matches a cached record, the cached record is used to respond while, in the background, an asynchronous request refreshes the record from an upstream server. Caching significantly speeds up name resolution. While DNS server resolution may take 3-50 ms, resolving via a cached DNS proxy typically takes 0-5 ms depending on location and bandwidth.

Typically, a DNS proxy does not filter requests. If filtering is needed, a DNS proxy is used side-by-side with a DNS firewall.

DNS Proxywall

DNS Proxywall combines two functions: DNS proxy and DNS firewall. The firewall filters DNS traffic and the proxy caches DNS records and forwards unresolved requests to DNS servers.

The difference between a DNS proxywall and a DNS server is how requests are resolved. A DNS server may perform hierarchical searches by querying multiple DNS servers according to the hierarchy. A DNS proxywall does not traverse the hierarchy; it expects upstream DNS servers to return IP addresses or an error. When an error is returned, the name is considered non-resolvable and the appropriate response is sent to clients.

Like other proxywalls, Verigio DNS Proxywall combines firewall and proxy functionality in one product. The settings for both features are managed in one place, ensuring configuration consistency and easier monitoring. Each function (firewall or proxy) can be turned on or off individually.

By clicking accept, you understand that we use cookies to improve your experience on our website. For more details, please see our Cookie Policy.