Filtering DNS

How FlashStart DNS technology is applied
to malware and content protection

About Filtering with DNS

Here we explain DNS Filtering without diving too much into the technology,
it’s an introduction to help you make an informed decision about using DNS technology.
If you want to go deeper you can read more in our other briefs about our Url Filtering Technology,
Content Filtering and Malware Protection.

What is DNS?

DNS is short for Domain Name System and it solves a simple problem. If you want to visit a website, you need to know the name of that website and must enter it into the address bar of your browser. For example, www.mywebsite.com.

The problem is while that domain name is easy for humans to recognize, it means nothing to a computer. For a computer to find the website, an IP address is required. An IP address is a string of digits specific to a particular website that tells your computer where to find it. Domain names are for humans. IP addresses are for computers. DNS converts one to the other and basically serves as the phone book of the internet. You look up a name (website “domain name”) and the DNS server tells your computer the number (IP address) to allow that website to be found. That means you do not need to remember a string of digits to access a particular website.

When you type in a domain into your browser or click a link in a search engine or email, a connection will be made to a DNS server, the IP address will be found, and you will be directed to the website. Your DNS server will usually be provided by your internet service provider by default. Taking control of your DNS is where DNS filtering starts.

What and why Filtering DNS?

DNS filtering is the term given to blocking access to specific internet content to prevent it from being part of search results or downloaded content.

Filtering with DNS is a way to block access to specific web content. For example blocking access to websites known to host child pornography, or other content that is illegal to view or banned by your country.

Organisations may want to block access to other types of content that violate their own internet usage policies, such as adult content, social media networks, and websites known to host malware.

DNS filtering therefore protects users and their devices and network owners, assuring / enabling compliance with government regulations.

How Does Filtering DNS Work?

Traditionally, content control was achieved using a physical appliance. When a user attempts to visit a website, the appliance will download the content and decide whether the website can be accessed or if it should be blocked. DNS filtering is different. It works at the DNS lookup stage, before content is downloaded. The DNS filtering system looks at the requested website and compares it with a database that classifies the website according to content type. The DNS filter decides if you can view the content or not. We skipped an important detail here because your device needs to know where to find the DNS filtering service. This is usually done by one of two methods:

FlashStart supports both of these deployment models

So now let’s return to the explanation about DNS filtering to highlight an important detail. The decision to block/allow the download is delayed  by the time it takes the device to send a DNS packet to the FlashStart cloud (or another vendor cloud). This delay is called “latency”

DNS filtering vendors write a lot about their latency and make comparisons between themselves. It’s like the acceleration performance of a car. However, to be able to reason about what latency is right for you then you need to understand a few important points.

FlashStart supports both of these deployment models.

Finally, let’s reflect on the question of what is good, bad or acceptable latency? There may be no shortage of opinion in the IT department about this.There is lack of empirical data, but it is generally considered that 20-50ms is good for a business and under 20ms for a small internet service provider tending to < 5ms for the largest internet service providers.

All Features