How to Configure DNS Content Filter (On-Premises)

Zyxel_Kay
Zyxel_Kay Posts: 1,199  Zyxel Employee
Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - WLAN Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security
in Security Service

Background

With increased browser support, users are encouraged to switch to TLS 1.3 due to its enhanced security features. However, websites using TLS 1.3 may not be categorized by URL content filtering without enabling SSL inspection. To address this limitation, DNS query-based categorization can be used as an alternative solution.

Compared to traditional content filtering, DNS content filtering is a more robust tool for SMBs (Small and Medium Businesses). It effectively reduces the number of network attacks, thereby lowering the remediation workload for IT professionals. An efficient DNS content filter can block up to 88% of Internet-distributed malware, offering a significant security advantage.

DNS content filtering works by intercepting DNS requests from clients, checking the domain name category, and taking appropriate action. This approach helps mitigate risks such as phishing attacks and prevents the misuse of hijacked domain names by obscuring source IPs. It also allows for fully customizable blacklists, enabling administrators to block access to specific unwanted domains, including those known to host malicious content.

In this scenario, the gateway operates in on-premises mode. Using the device's Web GUI, the DNS content filter can be configured to block users on the local network from accessing specific websites, such as social networking platforms like Facebook.

1-theory.png

Setting Up DNS Content Filter on USG FLEX Series

  1. Access the DNS Content Filter Settings
    • In the USG FLEX Web GUI, navigate to Configuration > Security Service > Content Filter > DNS Content Filter.
    • Choose Redirect IP and specify an IP address or use the default option.
      • If the default is selected, blocked requests will redirect to the page: http://dnsft.cloud.zyxel.com .
      • If a custom IP is chosen, blocked requests will redirect to the specified IP address.
        2-DNS-content-filter.png
  2. Create a Filter Profile
    • Add a new profile on the General page.
      3-add-profile.png
    • Set Redirect in the Action field and enable Log in the Log field.
      4-redirect.png
    • Select Social Networking (as an example) from the managed categories.
      5-category.png
    • Once the profile is created, a prompt will appear to apply it to a security policy. Click Yes to proceed.
      6-apply-policy.png
  3. Apply the Profile to a Security Policy
    • Assign the profile to a policy targeting traffic from your internal network to both Any (Excluding ZyWALL) and ZyWALL.
      7-apply-profile.png

Testing the Setup

  1. Verify Blocking
    • Access a website like facebook.com under the Social Networking category. The web access should redirect to the block page.
      8-block-notify.png
  2. Check Logs
    • Navigate to Monitor > Log.
    • Confirm that the logs show the DNS Content Filter detecting and blocking www.facebook.com.
      9-monitor-log.png

Troubleshooting

  1. DNS Content Filter Not Working?
    • Ensure that your Web Filtering service is active.
    • Verify that the subscription is valid and not expired.
  2. Resolve Licensing Issues
    • Go to Configuration > Licensing > Registration in the Web GUI or visit the myZyXEL portal to register or renew your Web Filtering license.

Kay

Untitled Image

See how you've made an impact in Zyxel Community this year! https://bit.ly/Your2024Moments_Community

Categories

EnglishTiếng ViệtРусскийไทย中文(台灣)