DNS Client Query Filtering Improving Client Application Access Control For zero trust architectures, the Client Query Filtering feature creates a security barrier at the earliest point, helping prevent lateral movement of attacks. Client Query Filtering (CQF) Solution Benefits CQF offers granular filtering (microsegmentation) combined with allow/deny listing to provide a powerful checkpoint for App access control. More Granular Filtering Improve network segmentation down to the individual client. Better Application Access Control Enable DNS-based client access control to vital apps and infrastructure. Early Security Barrier Detect anomalies at the earliest point in the flow to reduce exposure risk. New Business Opportunities Enable new B2B2C offers (e.g. parental control for telcos). Stronger Security Ecosystem Allow immediate modifications through API and standard DNS zone manipulations. Network Segmentation Down to Individual User DNS Filtering needs to be more specific than simply applying the same filter to any device or user on the network, as that tends to lower the security level to the most common rules to be applied. Some user groups require a higher level of security, while others need a lower level in order to perform their activities effectively. IoT devices should have access to only authorized applications and resources, based on an allow list (whitelist). Most other devices require restrictions based on a deny list (blacklist). But to perform such DNS filtering requires the ability to differentiate the important part of the transaction: the client itself. Options in DNS engines do already exist, such as views that help distinguish the client based on its IP address, but that approach is not sufficient for devices roaming from site to site, with new devices on the network installed every day. Ideally, what’s required is more granularity and a better way to classify clients, in order to apply the appropriate level of filtering and therefore the adapted level of security. This is the path to application filtering, to segmentation required by zero trust approach, to parental control for telcos, and also to governmental and regulatory filtering. Request A Demo of CQF See Client Query Filtering in action with a demo of DNS Guardian. Get Started The Filtering Process in Client Query Filtering (CQF) CQF brings an easy way of managing application access control as a new facet to DNS filtering, with security based on the source client information mapped to the requested domain, rather than filtering based only on the domain. A dedicated filtering policy can therefore be applied to specific clients requesting access to specific applications. This brings DNS security to a higher level, by combining client and destination information with allow and deny lists, therefore enabling application security enhancement. The main components required by CQF in order to perform rich DNS filtering are: A list of client identifiers and tags A list of domains to analyze The operation to perform, either allow, deny or apply countermeasure. Each DNS request is compared with the content of the list of applications and domains for applying the relevant policy. The lists are either local to each DNS Guardian server and managed manually - which is useful for testing purposes - or centralized and managed globally, which is ideal for security policy enforcement. The domain list is a standard RPZ zone that can be maintained in the SOLIDserver through GUI actions and API calls, but can also be subscribed to from a threat intelligence provider. Distribution of each list to all the Guardian DNS servers is performed through standard replication mechanisms, scalable and in real time allowing automation scenarios with the security ecosystem and with OSS/BSS solutions. The filtering process is the heart of the CQF feature and enables rich security usages. Having the ability to use and manipulate large amounts of information in the lists provides a real advantage when it comes to applying security to multiple groups of clients which are complex to identify. This management is made possible by the high performances of the DNS Guardian engine and its integration in the whole DDI ecosystem of the SOLIDserver. Rich Client Identification in CQF DNS Clients are commonly identified by their IP address, but in some more complex scenarios, another field or a combination of fields extracted from each query can be used for this identification. For example, we can use the extended DNS Client Subnet field to identify either client groups located on the same subnet or each individual when used with a full subnet mask. We can also use a combination of the CPE (Customer Premise Equipment) identification on the telco network and the mac address of the device on the consumer network as a unique identification key. This variety of identification methods enables CQF to be used in conjunction with cascaded DNS servers, with DNS over HTTPS external engines or with ISP DNS relay embedded in the CPE. It can therefore be used by an organization with a local network but also by a more complex telecommunications network or service provider. Extend Security Policies with Tags The CQF feature includes filtering using tags. Tags can be associated with any type of identifier, like category of traffic, type of client, meta-data, etc. Policies can use joining/matching functions to use these tags in order to define access controls. CQF can be used to enable or disable client-to-application DNS resolution and therefore the traffic which follows. If a DNS request is blocked, the client will not have direct access to the application. This feature can be used to enforce security, provide zoning between clients (end devices and application servers), and apply zero trust principles to the network. Adding tags and specific operators enhances security by extending the policies applied to the resolution process. It also allows the number of resources used in the policy to be reduced, as each list can be refined by adding tags or combination of tags. This tag functionality makes many new use cases possible, particularly around IoT security, SaaS app access control, Shadow IT detection and Parental Control. CQF and Application Access Control Access control to applications can be performed at multiple levels in accordance with the security policies in place within the organization. For most, the main level in place nowadays is Authentication and Authorization at the application level through credentials - probably no application is accessible without user screening. But is that really enough? Can a user with no access to an application get access to the login page? If self registration is not an option for this application, which is mainly the case in organizations, then why expose access to its infrastructure from the network? There are some very important applications that require specific access and run on a dedicated infrastructure with no sharing of main components. Filtering at the network level is an option to consider, whereby routing access lists and firewall rules are an implicit solution. However, by adding filtering at the DNS level, you raise the security level even higher. This leaves no possibility to resolve the application technical IP addresses, no network level and no credentials, so is a far better approach to security in a Zero Trust environment. By having the ability to dynamically update the CQF lists with either application or client entries, security is automatically raised to the appropriate level, limiting the application's exposure and data visibility to unknown or non authorized users. Easy and Scalable CQF List Management Easily manage and distribute lists of domains , tags and client identifiers at scale. As well as managing lists locally, CQF List Management can also use the standard RPZ Format, or the specialized CQF Format which comes with category tags. The intuitive GUI offers IT staff improved control for highly flexible and rich policy creation - based on intent behavior or threat level - together with complete visibility over policies. Combining DNS CQF with DNS Threat Pulse unlocks a whole range of new tags which can be used in access policies. Key Resources For further information on EfficientIP security solutions which improve Application Access control and enable zero trust models, take a look at these additional resources: DNS DNS Security Augmenting Zero Trust: Why Using DNS Allow Lists is a No-Brainer Explore Videos Improving Application Access Control using Client Query Filtering Explore Datasheets DNS Guardian: Real-time Behavioral Threat Detection Explore View All Resources More Like This As well as the CQF feature, other components of EfficientIP’s DNS Security suite such as DNS Guardian, DNS Firewall and DNS Blast contribute towards strengthening enterprise network security and enabling zero trust models. DNS Guardian DNS Guardian offers patented DNS Transaction Inspection, advanced analytics for real-time behavioral threat detection and adaptive countermeasures, to protect users, apps and data. Explore DNS Threat Pulse Multi-source threat intelligence feed delivering insightful, actionable data in real-time to proactively defend against DNS cyber threats. Explore DNS Firewall Dynamic Threat Intelligence services to identify suspicious activity and prevent malware infection and spread. Explore DNS Blast World’s fastest DNS appliance offering carrier-grade DNS DDoS attack protection for combatting extreme volumetric threats. Explore Assess Your DNS Risk In order to help you better understand the usage context and behavior of your DNS clients, EfficientIP offers a free assessment involving expert analysis of real DNS traffic. Learn More
