[2021 Issue 02] Three Things You Need to Know About Zyxel Industry-leading DNS Content Filter
Zyxel Employee
We are currently
facing a de-centralized and IoT driven trend. There are growing number of
connected devices including work from home environment, especially during this
pandemic, so the security countermeasure needs to be reinforced.
There are more browser support and users are encouraged to switch to TLS 1.3 because of its increased security, but websites using TLS 1.3 are not categorized correctly by URL content filtering without SSL inspection. For that, we need a solution to have early check on categorizations by DNS query instead. Compared to traditional content filter, DNS content filter is a stronger tool for SMB(s), because it can restrict the number of attacks faced by network access, thereby helping to reduce the remediation workload of IT professionals. Effective DNS content filter can even prevent up to 88% of Internet-spread malware.
In the past, we used SNI (Server Name Indication) in HTTPS protocol, our HTTPS traffic was often revealing domain name of the sites we visited, so traditional content filter is not applicable. ESNI (Encrypted Server Name Indication) is used as an extended protocol of TLS 1.3 to prevent traditional HTTPS traffic from being spied by ISP or unfamiliar network environment and network censorship. TLS 1.3 is the most secured protocol available today. The pie chart below shows more than a third of HTTPS traffic is still TLS 1.2, and that number is slowly dropping. Browser vendors have been prioritizing TLS 1.3 as the preferred protocol, and this is starting to have an impact on adoption of these more secured protocols. Most popular browsers already support TLS 1.3 from the client side including Google Chrome, Mozilla Firefox and Safari (Mac OS 10.3 & iOS 11).
Compared with the shortcomings in the old protocol, TLS 1.3 can be regarded as a big step forward. It not only avoids the defects of previous version, but it also reduces the TLS processing time. DNS Content Filter identifies the Web content by catching the domain name in DNS query message. It can be configured to restrict access to certain categories of Internet content and block most of malicious. Please refer the flowcharts below,
TLS 1.3: Firefox allows user to encrypt client hello message by enabling Encrypted Server Name Indication (ESNI). User can bypass firewall without SSL Inspection. Server name is encrypted in Client Hello message when enable ESNI on Browser, so we need DNS content filter to do DNS query.
DNS Content Filter Checking Flow
What’s new in ZLD 5.00 launched in April? Websites using TLS 1.3 are not categorized correctly by URL content filtering without SSL inspection. For that, need a solution to have early check on categorizations by DNS query instead. DNS content filter intercept DNS request from client, check the domain name category and takes a corresponding action, reducing the risk of phishing attacks, and obfuscate source IPs using hijacked domain names. Fully customizable blacklist to ban access to any unwanted domains and prevent reaching those known domains hosting malicious content. We also support to intercept IPv4 UDP DNS query.
Zyxel DNS Content Filter GUI Preview
Categories
- All Categories
- 384 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 80 Nebula Status and Incidents
- 5.1K Security
- 79 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 909 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 209 Service & License
- 335 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 898 Nebula FAQ
- 415 Security FAQ
- 234 Switch FAQ
- 205 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 62 Security Highlight