[2021 Issue 02] Three Things You Need to Know About Zyxel Industry-leading DNS Content Filter

zyxel_Lin
zyxel_Lin Posts: 27  Zyxel Employee
edited September 2021 in Security Highlight
#1 Why We Need DNS Content Filter? (TLS 1.3 Fast-Growing Trend) 

We are currently facing a de-centralized and IoT driven trend. There are growing number of connected devices including work from home environment, especially during this pandemic, so the security countermeasure needs to be reinforced.

There are more browser support and users are encouraged to switch to TLS 1.3 because of its increased security, but websites using TLS 1.3 are not categorized correctly by URL content filtering without SSL inspection. For that, we need a solution to have early check on categorizations by DNS query instead. Compared to traditional content filter, DNS content filter is a stronger tool for SMB(s), because it can restrict the number of attacks faced by network access, thereby helping to reduce the remediation workload of IT professionals. Effective DNS content filter can even prevent up to 88% of Internet-spread malware.

 In the past, we used SNI (Server Name Indication) in HTTPS protocol, our HTTPS traffic was often revealing domain name of the sites we visited, so traditional content filter is not applicable. ESNI (Encrypted Server Name Indication) is used as an extended protocol of TLS 1.3 to prevent traditional HTTPS traffic from being spied by ISP or unfamiliar network environment and network censorship. TLS 1.3 is the most secured protocol available today. The pie chart below shows more than a third of HTTPS traffic is still TLS 1.2, and that number is slowly dropping. Browser vendors have been prioritizing TLS 1.3 as the preferred protocol, and this is starting to have an impact on adoption of these more secured protocols. Most popular browsers already support TLS 1.3 from the client side including Google Chrome, Mozilla Firefox and Safari (Mac OS 10.3 & iOS 11). 


#2 How Does DNS Content Filter Work?

Compared with the shortcomings in the old protocol, TLS 1.3 can be regarded as a big step forward. It not only avoids the defects of previous version, but it also reduces the TLS processing time. DNS Content Filter identifies the Web content by catching the domain name in DNS query message. It can be configured to restrict access to certain categories of Internet content and block most of malicious. Please refer the flowcharts below,

TLS 1.3: Firefox allows user to encrypt client hello message by enabling Encrypted Server Name Indication (ESNI). User can bypass firewall without SSL Inspection. Server name is encrypted in Client Hello message when enable ESNI on Browser, so we need DNS content filter to do DNS query.

DNS Content Filter Checking Flow



#3 Zyxel DNS Content Filter in ZLD 5.00 will be launched in April

What’s new in ZLD 5.00 launched in April? Websites using TLS 1.3 are not categorized correctly by URL content filtering without SSL inspection. For that, need a solution to have early check on categorizations by DNS query instead. DNS content filter intercept DNS request from client, check the domain name category and takes a corresponding action, reducing the risk of phishing attacks, and obfuscate source IPs using hijacked domain names. Fully customizable blacklist to ban access to any unwanted domains and prevent reaching those known domains hosting malicious content. We also support to intercept IPv4 UDP DNS query.

Zyxel DNS Content Filter GUI Preview