If you are looking to protect your users, customers and IoT devices from connecting to malicious sites via a domain name system (DNS) firewall you have multiple choices.   Here are key questions to ask your potential DNS Firewall provider (and yourself!) to ensure you make the right choice for your business’s needs.

Ways of deployment

Let’s start with the basics; currently, there are 3 different ways to deploy DNS Firewall:

On-premises open source software: Threat intelligence data feeds from a third party accessed through your DNS infrastructure.

On-premises solution/appliance:  This is located within your network, working as a management system for your DNS’s security infrastructure, which uses threat intelligence data feeds.

Cloud:  A service which is external to your network, where a third party manages your DNS requests.

1. How is DNS Firewall set-up and configured?

Be certain to look at this implementation holistically and consider the ‘big picture’.  Ensure you choose a solution that meets your needs, and not simply one that is the fastest to install. Key elements to consider are:

  • Quality of threat data 
  • Pricing
  • Control 
  • Flexibility
  • Transparency
  • Support
  • Testing period¹

On-premises open source software: This is a more technical implementation because you configure the threat intelligence data feeds directly into your DNS.  Here it is vital to understand the support that will be given by the service provider during the implementation.

On-premises appliance:  A more in-depth implementation is usually involved.  You will be required to make direct changes to your DNS.  You will also be required to choose DNS threat intelligence data feeds to use in your Response Policy Zones (RPZ).

Cloud service: Typically you will only be required to make minimal changes to your DNS set-up.  This will simply involve pointing your recursive resolver to a different IP address, through which you will run your DNS resolution.

2. How much does it cost?

Cost is always a key factor when looking at purchasing new services or hardware. Consider if you have (or need to make a business case for) capital budget, or are wanting a solution which can fit into your operational budget, on a subscription basis.

On-premises open source software: Prices in this category should be amongst the lowest, as you are transferring threat intelligence feeds into your own DNS resolver, and won’t have any hardware costs to pay.

On-premises appliance:  Prices should be lower per user than using a cloud service, given that you are installing something onto your own network. However, establish if any additional fees need to be paid to use ancillary services on these appliances.  

Cloud service: This is generally more expensive per user because of the provider’s infrastructure costs, in addition to the cost of distributing their threat intelligence throughout their network.  The set-up is relatively easy (see #1), however, this is a service you share with multiple users, therefore you lose flexibility and control, and you may end up paying for data feeds that you don’t require. 

Remember that some on-premises solutions and direct DNS data feeds both have a more complex set-up (see #1).  Having said this, you will be rewarded for your efforts by having a large amount of control, both in terms of the different data feeds you utilize, and instant access to your redirect/block information.

3. Can I tailor your threat intelligence data feeds to my needs?  

Organizations need to have the flexibility to assess the amount of risk they want to take.  Question if you are able to pick the data feeds (i.e. the threat intelligence that’s being used to block/redirect on your network) that provide the right level of security for your business requirements.  

Some industries e.g. financial and healthcare services require additional levels of security so they may want to have a strong focus on policy-based data feeds.  On the other hand, if you need to be less risk adverse e.g. those managing end-user networks, you don’t want to have to pay for feeds that you don’t use.

Furthermore, there are organizations who require multiple levels of security across different areas of their network, for example, academic institutions will require a different level of protection for students compared to that of the staff.

4. What is the quality and breadth of your threat feeds? 

Cybercriminals use a range of techniques to extort information, and ultimately money, from their victims.  Your DNS Firewall is only as good as the threat data it receives to block connections.  These feeds need to be diverse and well researched, protecting you against as many malicious domains as possible. Furthermore your threat data needs to have a low rate of false positives, particularly across non-policy focused feeds. 

Whether you go down the route of choosing an appliance or decide to configure your own DNS, you will need to source a supplier for the data feeds.  Ensure it is someone who is well established in providing threat intelligence and draws data from a wide range of independent sources. 

5. How do I resolve issues with false positives?

If a business critical domain is being redirected/blocked you need to be certain that you can make an exception to the policy decision of your DNS Firewall, so your business can continue to operate without disruption. 

On-premises open source software & appliance: Is there the flexibility to add the domain to a private whitelist to allow you instant access to the blocked domain? 

Cloud services:  Check service level agreements (SLAs) for response and action times in relation to whitelisting and/or removing blocked domains that are business critical for you.  See to it that these are acceptable to your business needs.

6. How often is your data updated?

Timely threat intelligence is fundamental to countering cybercriminal activities across your network.  According to a Ponemon Institute Survey, 37 percent of attackers quit if they can’t yield value after a period of 10 hours.  

With this in mind, ensure that the data protecting you is delivered as continuously as possible: An update that occurs only every hour could fail to protect from the potential damage malware can do upon its initial release.

7. Can infected devices be easily traced on my network?

Whilst you can control most of what happens on your network, you can’t control what happens within your customer environment(s) or when employee devices are taken offsite, for example, working at a client’s offices, or from home. 

Botnet Command & Controller (Botnet C&C) listings increased by a huge 32% in 2017 (read the full Botnet Threat Report).  Given the upsurge in threats from this area, it is vital to be able to trace any infected devices on your network, to enable you to take rapid and effective action.  

Establish with your DNS firewall provider how attempted access to malicious sources can be detected using DNS firewalls on your network.  Remember to check if there is any need to install additional agents/software, which would lead to additional costs and complexity.  

8. How and when will I be notified of issues on my network?

Having ‘control’ is fundamental to most IT security teams.  The sooner a threat is flagged, the sooner relevant remediation can take place, be that for your customer if you are an ISP or Hosting provider, or your employee if you are an enterprise business.

On-premises open source software & appliance: Determine if you have the ability to set up your own logs, so you are immediately aware the moment a block/rewrite occurs, or receive notification if there is an infected client on your network.  This will enable you to take action without delay.

Cloud service: Establish if reports specific to your network are pushed out in real-time.  Consider the impact on your business if you had to wait to receive information on a redirect or a botnet infected machine.

9. How stable is your service? 

On-premises open source software: Ascertain that any provider of threat feeds has multiple access points for their data.  This will ensure that even if there is an issue with some of their servers you will continue to receive service from one of their alternative locations.

On-premises appliance: If you are using an appliance you need to be sure that your DNS will still function, even without the DNS firewall, if the solution fails.

Cloud service: Be certain of contingency plans in regards to service failure,  as this could potentially mean that you could lose all access to DNS connections, crippling your business. Gain a clear understanding of their SLAs, and if they’ve been met historically.  

10. Can I write my own redirect pages?

Why is this important?  Well, because it is an opportunity to transform something negative i.e. a cybercrime into a teachable moment for the end-user.  

A generic message only informs that a block/redirect has occurred:

The requested web page from has been blocked 

However, a carefully crafted landing page which provides the end-user with ‘why’ they have been blocked and ‘how’ they can protect themselves in the future will positively contribute to increasing the ongoing security of your network.   For further information and examples of ‘teachable moment’ landing pages, click here.


With such a huge growth in the DNS Firewall market over the past few years there are plenty of options to choose from.  Simply (!) take the time to understand your business needs and carefully research what option meets them.

DNS Firewall – A beginner’s guide

Discover DNS Firewall Threat Feeds

Trial DNS Firewall for Free

¹We would recommend a 30 day testing period.

Passive DNS can ease the burden on Malware Researchers by reducing the need for complex reverse engineering when dealing with malware.

  • Once you have an IP address for a Botnet Command & Control (Botnet C&C) Server Passive DNS enables you to drill down and analyse the host names served by the same IP address and extend your searches, for example, to the authoritative name servers for the domain.







Security Professionals can use Passive DNS to investigate domains or IP addresses that have raised suspicion, and find out if it is a single malicious IP or a complex multi-layered operation they are dealing with.

  • Looking glass in a circle leading to coloured networks with text " Passive DNS: Security Professionals"Investigate domains that are within the same subnet of a particular IP address – some (or most) of these may display similar behaviours as the one that has caused you concern.
  • Abusers recycle their resources e.g. the same web server may host several phishing domains, not just one.  With Passive DNS you can acquire the information before, or as soon as they change their domain or IP address.
  • If you are dealing with a more complex operation, the abuser may have the full /24 subnet under his control and Passive DNS can potentially provide additional, deeper insights e.g. all the domains that are pointing to an IP address in the subnet.
  • Passive DNS searches will also permit you to find invalid or unauthorised records in the zones you control, caused by unauthorised access or by cache poisoning/spoofing (where corrupt DNS data is introduced into the DNS resolver’s cache, causing the name server to return an incorrect result).


USING PASSIVE DNS: Malware Researcher



Passive DNS adds value to multiple roles, including Brand Protection Specialists. You can utilise Passive DNS to highlight shadow domains, or typo squatting and identify who is masquerading as your company, brand or trademark and potentially hurting your customers and damaging your brand.

  • Key in circle leading to coloured networksSearch the Passive DNS database for domain names that contain the whole name of your company, or a specific key word.
  • Pinpoint malicious domains and easily view their IP address.
  • Search this IP address to uncover any further domains this address that may have been connected with historically.
  • For additional intelligence subscribe to our real-time zero reputation domain zone (ZRD), and view all domains which have been registered within the past 24 hours (which have a higher likelihood of being used for fraud).


Using Passive DNS: Security Professional

Passive DNS has the potential to assist various IT security roles, including Penetration Testers.  Take a look at the highlights below to get a clear understanding of how Passive DNS can provide you with deeper insights into the security of the networks you are evaluating.

Search for all the DNS records relating to the subnets of the domain you are investigating, to highlight what different functions the servers are being used for.  Things to look out for:

  • A host named “firewall.yourcustomerdomain.com” suggests a high likelihood that this is the firewall, allowing you to select the relevant testing tools you should be using on this type of domain.
  • A host named “webdevel.anothersite.com” is likely to be a domain where development is run from, and could yield some interesting penetration results.
  • Look for any IP addresses running live versions of outdated software – this has the potential to increase the attack surface.

Using the information gathered in the above steps, you may uncover subnets which exist as part of the infrastructure, which you weren’t aware of, but are of interest to you. Use Passive DNS to drill down into the newly discovered networks.


Using Passive DNS: Brand Protection Specialist


Passive DNS has been an industry standard tool for more than a decade, but given the conversations we are having with various customers, IT teams & security teams, it’s apparent that there is some uncertainty as to what Passive DNS is, and also how it can help businesses protect both their networks and brand.

What is Passive DNS?

Until the introduction of Passive DNS there was no way to retrieve the content of any DNS zone owned by other people as system administrators were not keen to share them. Also, once a change was made to a DNS record the previous details were gone forever as the new version immediately propagated across the internet…. Not very helpful if you need to research all the domain names a suspect IP address has resolved to historically, and vice versa.

Where does Passive DNS data come from? 

computer, DNS root server DNS resolver and DNS root domain with arrows

How Passive DNS data is captured

When a client queries a local DNS resolver and the answer is not included in the server’s cache, then the DNS resolver will query an external root server, followed by the top-level domain (TLD) server and the authoritative name server itself to get access to the requested information (see diagram ).

With special probes activated on the DNS resolver,  it is possible to record the packets containing the answers to the client, along with the time & date stamp of when the query was made.  

Passive DNS does not store which client (or person) made a query, just the fact that at some point in time, a domain has been associated with a specific DNS record . This ensures that privacy is maintained throughout the system.

Deteque utilises Passive DNS data from Spamhaus, which is collected across the internet globally, from trusted third parties including hosting companies, enterprises, business & ISPs.

With the constant increase in the number of TLDs, there are currently more than 1,000, there is a huge amount of data to record. Deteque’s Passive DNS cluster handles more than 200 million DNS records per hour and stores hundreds of billions of record per month, allowing you to search this vast database easily.

How can this help your IT security?

Passive DNS data provides a wealth of information for IT security teams, research teams and brand protection specialists.  Research analysts gain insight as to how a particular domain name changes over time and how it is related to other domains and/or IP addresses. This data enables you to build a picture of potential threats across global networks that simply cannot be identified from monitoring your own network.

Brand protection specialists can identify spoofed domains/websites, noting when they have been active and how they are associated with other domains.  

Discover the value this tool can bring to multiple roles:

Passive DNS is an extremely clever and simple to use tool that’s a great addition to your security arsenal.


Learn about Deteque’s Passive DNS Tool


OXS18 Power Innovation

Open-Xchange are holding their 10th European Summit (OXS18) in Rome on 27th & 28th September and Deteque will be there too. 

electricity shooting across a man sitting with text saying OXS18 Power Innovation

OXS18 Rome – connect with Deteque

Attendees will have the opportunity to network with a multitude of telcos, hosters and cable carriers.  Additionally Open-Xchange senior management and product experts will be on hand to discuss how their ever evolving innovative products and services can assist you.

Deteque’s Matt Stith, Product Manager and Abuse Desk guru, will be highlighting how you can protect against data extraction utilising DNS Firewall Threat Feeds.

OX Summit is invitation only. To secure your seat at OX Summit Rome, please use the Voucher Code Innovate! to register.  For more information and final agenda, please click here.

We have now launched the production version of our improved Passive DNS Tool, so we are no longer looking for Beta Testers.  However, please click on the link below to get access for free.

Passive DNS Free Plan

Whether you are a security professional wanting to uncover patterns of malicious activity from networks across the world, or a brand protection specialist wanting to expose the deceptive use of specific domains, utilising Passive DNS data should be part of your toolset.

Digital globe with connections merged with screen with code and text "Passive DNS - Exclusive beta testing opportunity"

Passive DNS – exclusive beta testing opportunity

Passive DNS provides a wealth of valuable information to digital security professionals, enabling the user to review relationships that have both historically and currently exist between online properties e.g. domain names and internet protocol (IP) addresses, across the globe.  Discover more about Passive DNS here.

We are delighted to offer this the opportunity* to become one of the first  to use and provide feedback on our improved and simplified Passive DNS tool. 

Who can apply?

What do we offer?

  • Access to the web portal and API
  • Start-up documentation and a helping hand
  • Advice regarding how to use the tool for incident investigation and brand spoofing investigation

What do we require from you?

  • Must be available to engage in active testing.
  • Provide feedback via a phone call.

Please note that numbers are limited so please apply as soon as possible.

Good-luck and thank you!


*Sadly we can only accept those who meet the outlined requirements onto the beta testing program.

Brian Krebs investigates the Bitcanal “Hijack Factory” story which hit the news this week. Through continually hijacking Border Gateway Protocol (BGP) routes, Bitcanal leased swathes of IP addresses to spammers. Since 2014 Bitcanal has appeared in 103 SBL listings researched by Spamhaus. Read Brian’s article here .

This week sees Spamhaus featurning in the news in Doug Madory’s article focusing on Bitcanal; Shutting Down the BGP Hijack Factory.

The piece focuses on Bitcanal, who has been listed on various block lists of Spamhaus’s for over 3 years.  Doug Madory, Director of Internet Analysis at Oracle Dyn, shines the spotlight on Bitcanal, and focuses on the lessons Internet Exchange Points (IXPs) need to learn from this episode.

Spamhaus has published 103 SBL listings related to Bitcanal, going as far back as December 2014.  There have been inclusions on both their IPv6 Drop list, and ASN Droplist.