GSLB.me DNS firewall protects your applications by enforcing security policies on DNS resolution. This allows you to fully control which clients can resolve your FQDNs and decide who should get an answer and who should be blocked or redirected to other IP addresses or CNAMEs.

DNS Firewall

This flexible feature enables DNS resolution protection and control on top of your existing geohosts configuration. If you are already using GSLB.me to resolve the FQDNs of your Internet services, then you just need a few clicks to configure and run your firewalling policies.

Blacklist configuration dashboard

DNS Firewall supports an unlimited number of granular policies based on the following criteria:

  • positive logic (whitelisting): defines what IP addresses and subnets should always be allowed to resolve your FQDNs
  • negative logic (blacklisting): defines what IP addresses and subnets should be blocked/redirected somewhere else by replying with:
    • NXDOMAIN
    • An “A record” with configurable redirection/honeypot/dummy IP address
    • A “CNAME record” with configurable redirection/honeypot/dummy FQDN
  • client reputation matching: handles DNS queries based on clients IP addresses reputation. This is determined based on known categories (Command and Control, Malicious Host, Malware Domain, Malware IP, Open Proxy, Phishing, Scanning Host, Spammer IP) and supports four types of DNS reply:
    • NXDOMAIN
    • An “A record” with configurable redirection/honeypot/dummy IP address
    • A “CNAME record” with configurable redirection/honeypot/dummy FQDN
    • Accept the request and handle it normally
    Client reputation can be checked and enforced by engaging specific firewall actions
Client reputation can be checked and enforced by engaging specific firewall actions

By enabling DNS firewall policies you can prevent unwanted clients from resolving your FQDNs: DNS queries from clients with a bad reputation (ie. spammers, malware-affected clients, etc) can be blocked or replied with specific crafted responses. For instance you might want to send a NXDOMAIN reply to all spammers who try to resolve your business-critical service or you might want to permanently blacklist specific IP addresses or subnets.

Client reputation information is gathered from several sources scattered across the Internet and is updated in real-time, in order to guarantee high levels of reliability and to efficiently protect your services DNS resolution from unwanted invasive clients and attackers.

GSLB.me DNS firewall provides a real-time statistics and reporting dashboard detailing blacklists/whitelists matches and providing insights on requests coming from clients whose reputation is low.

DNS Firewall realtime statistics
DNS Firewall realtime statistics

Firewall policies can be applied to geohosts to instantly add security to your existing services and configurations.

DNS Firewall is free for up to one blacklist (including maximum 5 IPs/subnets), one whitelist (including maximum 5IPs/subnets) and one clients reputation rule that includes at most one bad reputation category. The paid version of the firewall handles an unlimited number of whitelists and blacklist with up to 1000 IPs/subnets each, and can check clients reputation matching all the 8 reputation categories mentioned above.

Read our howto to discover more and learn how to set up DNS firewall for your services: our technical support team is available to help you planning and setting up security for your services.