DNS firewall, DNS proxy, and DNS proxywall. Which one to choose?

Domain name system (DNS)

DNS abbreviation stands for "domain name system". It is a system of databases for translation of textual names (domain names) of Internet servers into IP addresses which are then used for network communication.

DNS databases are located on DNS servers that are organized into a DNS hierarchy. Servers respond to translation requests received from DNS clients. Computers or devices that use services of DNS servers are called DNS clients.

The communication between DNS clients and DNS servers typically uses UDP protocol port 53. UDP port 53 is a "well-known" port reserved for DNS communication. The use of other protocols or ports may require installation of additional software. And because of that, such configurations are not commonly used.

DNS Firewall

DNS firewalls filter DNS traffic between clients and servers. They intercept traffic and block requests according to rules. DNS firewalls differ by how they intercept the network traffic and where they are located within the client-server communication.

  1. DNS traffic is intercepted on a client computer using low level packet capture-injection technique.

    Programs on the client computer are not aware of DNS traffic being intercepted and filtered. That makes it one the most transparent techniques for local programs. From a user perspective, its is also one of the easiest DNS filtering setups that does not require much configuration. The interception can be paused and resumed without disruption of client-server communication.

  2. DNS traffic is intercepted on a client computer by redirection to a local DNS firewall which then forwards the traffic to a remote DNS server.

    DNS firewalls that support such configuration automatically change the configuration of network connections by replacing IP addresses of DNS servers. However, other programs that rely on that configuration may stop working. Other than that, it is similar to the low level packet capture-injection technique.

  3. DNS traffic is processed by a DNS firewall on a separate computer(server). This configuration is also often involves DNS proxy working side-by-side with DNS firewall.

    In this configuration, DNS clients send their requests to a remote DNS firewall instead of DNS servers. This configuration is typically used by mobile devices (mobile DNS clients) due to its simplicity. DNS firewall is consumed as a service that is delivered by other service providers.

    The main benefit of this configuration is in separation between consumers and providers of the firewall services. Consumers don't worry about the configuration and maintenance of firewall servers. The maintenance of the DNS firewalls is done by service providers that consolidate DNS traffic on dedicated servers before forwarding it to upstream DNS servers. The providers of firewall services can manage pools of DNS firewalls in a centralized way and apply the same rules to all consumers. DNS clients (consumers) require manual changes to network connection settings to forward DNS traffic to DNS firewalls.

  4. DNS traffic is intercepted on a DNS server using a low level packet capture-injection right before reaching the DNS server software.

    In this configuration, a DNS firewall enhances DNS server capabilities by adding an extra layer of filtering before the traffic is received by the DNS server software. Such configuration is suitable for large organizations that maintain their own DNS servers. It allows to co-locate a DNS server and a DNS firewall, thus simplify their maintenance.

  5. Virtual Private Network (VPN).

    VPNs usually have their own DNS servers. VPN is a technology that intercepts all network traffic on client computers and sends that traffic via a tunnel to a remote VPN server. DNS traffic is intercepted together with all the other traffic. When the network traffic reaches a VPN server, the DNS traffic is passed through DNS firewall. VPN solutions are usually the most expensive ways of filtering traffic in terms of costs and performance. The companies that provide VPN services usually charge monthly fees. When using VPN solutions, the speed of all network communication is significantly slower (sometimes more than several times) and depends heavily on the number of concurrent users connected to the same VPN servers.

DNS Proxy

A DNS proxy is typically a lightweight server that receives DNS requests and forwards them to other DNS servers. A DNS proxy usually maintains its own cache of DNS records which is populated with information from DNS servers. Whenever coming from a client request matches one of the cached records, the cached record is used to respond to the request. At the same time in the background, an asynchronous request to an upstream DNS server is sent to request a refresh of the cached record. The caching technique significantly speeds up the DNS name resolution process. While the name resolution using a DNS server usually takes 3-50 ms, the name resolution using DNS proxy with a cache takes 0-5ms depending on the location and the network bandwidth of the proxy.

Typically, a DNS proxy does not perform filtering of requests. If such filtering is needed, a DNS proxy is used side-by-side with a DNS firewall.

DNS Proxywall

DNS Proxywall is a combination of two products in one: DNS proxy and DNS firewall. The firewall filters the DNS traffic and the proxy caches DNS records and forwards unresolved requests to DNS servers.

The difference between a DNS proxywall and a DNS server is in how the requests are resolved. A DNS server may perform hierarchical search of the resolving domain(server) names with other DNS servers by sending multiple requests to those servers according to established hierarchy. A DNS proxywall does not consider DNS hierarchy and expects upstream DNS servers to return IP addresses or an error status. Whenever an error is returned, the resolving name is considered to be non-resolvable and the appropriate response is sent to DNS proxywall clients.

Just like other proxywalls, Verigio DNS Proxywall combines the functionality of a DNS firewall and a DNS proxy in the same product. The settings for both are managed in the same place. This ensures consistency of configuration and ease of monitoring for potential issues. Each functionality (firewall and proxy) can be turned On or Off individually.