There are many advantages to DNS filtering for content and internet security. While there is no perfect tool for every need, following a few key tips will ensure you get the most from your DNS filter option.
Good Policy Planning
When embarking on a decision to allow or block content for end users, it is important to understand your objectives with filtering and to properly communicate these policies to your end users. Dropping a sudden block on streaming media or social networking, when no block had existed before, will likely kick off a flood of help desk calls. If you are attempting to police a network that has had little to no filtering, it is often best to start with a lower filter setting and increase your restrictions as communication of these policies is made clear. Selecting the proper policy controls should be a discussion for key stakeholders and, of course, you will want to take note of any legal or regulatory requirements.
Don’t Mix DNS Services
One of the more common issues that comes about when a new network deploys DNS filtering is the idea that the network should keep multiple DNS servers on tap. While you certainly will want to have more than one resolver IP/network for redundancy, mixing DNS filtering services with non-filters will cause mixed results in your internal DNS cache. Client devices will randomly receive different answers to DNS resolutions and this will cause negative experiences.
Flush that cache
It is important to remember that there are multiple layers of DNS caching within any network. First you may have your domain controller, internal recursive DNS resolvers, and finally your client devices. All of these are potential hang ups when attempting to push out new policy changes via DNS. While you may have limited control of some client devices, flushing your internal DNS systems such as a domain controller will ensure end users get the latest policies. It is also important to note that policy changes are impacted by your services TTL (Time To Live) which tells internal DNS cache how long to keep the name before asking again. At ChurchDNS we keep relatively short TTLs to allow changes to propagate quicker.
Prevent End User Bypass
Clever end users who realize they are getting their internet results filtered via DNS may attempt to change their local machine DNS settings if they have access. The fix for this is rather quite simple. Network administrators should create a firewall rule that limits DNS traffic to pass only to allowed resolver IPs. If an end user then attempts to change their local machine resolver IPs, they will lose all DNS resolution capabilities.
As always, proper planning goes a long way and following these easy tips will help with any DNS filter roll out. Keep in mind that testing DNS filtering is easy to do by switching adapter settings of a single workstation in order to verify performance and capability in your environment. It can be a good idea to notify at least a few trusted users when widening your deployment so you can be sure to get any urgent feedback in order to stay ahead of help desk tickets.
