DNS, DHCP & IP Address Management appliances
For Microsoft DNS & DHCP servers
For open source DNS & DHCP servers
Cloud-based visualization of analytics across DDI architecture
Manage multi-vendor cloud DNS servers centrally
RIR Declaration Management and Automation
Automated network device configuration and management
Centralized visibility over all your clouds
A single source of truth for your network automation
Why DDI is an Obvious Starting Point
DNS Threat Intelligence for proactive defense
Intelligence Insights for Threat Detection and Investigation
Adaptive DNS security for service continuity and data protection
Improve Application Access Control to prevent spread of attacks
Protect users and block DNS-based malware activity
Carrier-grade DNS DDoS attack protection
Optimize application delivery performance from the edge
for Proactive Network Security
Visibility, analytics and micro segmentation for effective Zero Trust strategy
Enable work from anywhere by controlling access, security and data privacy
Simplify management and control costs across AWS, Azure and GCP environments
Risk-free migration to reduce DDI complexity and cost
Move risk-free to improve performance, security and costs
Automate management, unify control and strengthen security of connected devices
Protect your network against all DNS attacks, data exfiltration and ransomware
Enable zero touch operations for network management and security
Improve resiliency, deployment velocity and user experience for SD-WAN projects
Integrated DNS, DHCP, IPAM services to simplify, automate and secure your network.
Simplify design, deployment and management of critical DDI services for telcos
Optimize administration and security of critical DDI services for healthcare
Simplify and automate management of critical DDI services for finance
Simplify and automate management of critical DDI services for higher education
Simplify and automate management of critical DDI services for retail
Simplify Management and Automation for Network Operations Teams
Open architecture for DDI integration
Technology partnerships for network security & management ecosystems
Extend security perimeters and strengthen network defenses
Submit requests for temporary licenses
Submit access requests for EfficientIP knowledge platforms
Submit membership requests for EfficientIP Community
Strengthen Your Network Protection with Smart DNS Security
Customer-centric DDI project delivery and training
Acquire the skills needed to manage EfficientIP SOLIDserver™
Identify vulnerabilities with an assessment of your DNS traffic
Test your protection against data breaches via DNS
Dedicated representation for your organization inside EfficientIP
Explore content which helps manage and automate your network and cloud operations
Read content which strengthens protection of your network, apps, users and data
Learn how to enhance your app delivery performance to improve resilience and UX
Why Using DNS Allow Lists is a No-Brainer
This enterprise-grade cloud platform allows you to improve visibility, enhance operational efficiency, and optimize network performance effortlessly.
Who we are and what we do
Meet the team of leaders guiding our global growth
Technology partnerships for network security and management ecosystems
Discover the benefits of the SmartPartner global channel program
Become a part of the innovation
The latest updates, release information, and global events
February 10, 2022 | Written by: Surinder Paul | DNS, DNS Security
APIClient Query FilteringCQFDNSDNS ApplianceDNS FilteringDNS SecurityDNS Security IssuesDNS SolutionEnterprise Network SecurityIoTMalwareNISNIS 2Zero Trust
You can’t control what you can’t see, as the saying goes. One of the main pillars of Zero Trust Foundations is Granular Visibility and Control on the traffic. This means being able to differentiate the sources of the traffic (microsegmentation) and their related destinations. From there, security wise, one can decide what has to be done, allowing or denying source-destination combinations.
Regarding granular visibility, DNS by nature sees all traffic intents at the earliest possible point in the IP traffic flow, actually even before application data flow on the network. By default DNS serves all requests from any source to any known destinations. What if we use this integral capability of DNS to decide whether some source-to-destination’ combinations would be granted or not, as a security measure? DNS security already uses deny lists as part of DNS Filtering (Response Policy Zone) to deny access to inappropriate domains (malware, etc.). Why not use DNS allow lists as part of a Zero Trust strategy to specifically grant certain users access to only specific applications? In Security, Allow Strategies use a mechanism called an Allow List which explicitly allows some identified object access to a particular privilege, service, application while by default the rest are denied.
Let’s have a look at traditional tools/solutions used for Zero Trust strategies. Using Authentication will prevent access to an application but not to the infrastructure hosting it. As an analogy, you might not have the key to the front door of the house but might try an open backdoor or window to get inside anyway. So, not only does user authentication arrive late in the security process, letting the user send his traffic that should be denied across the network but this also “leaves the door open” to attacks on the infrastructure. It’s necessary as you don’t want to leave your door unlocked and opened anyway but this is not sufficient to efficiently protect your applications.
As we mentioned, DNS Filtering (RPZ) using deny listing, can block access to some domains (malware, etc.) but this will do it for all clients. Although it is useful and necessary for domains that must never be accessed by anyone, whatever the reason (security, legal, performance, etc.), this can’t be used as a means to differentiate access to applications from a client standpoint.
Ultimately, routers and firewalls can do the job but as they are usually positioned at the edge of the network between the WAN and the LAN, if you want to protect access to your internal applications while also differentiating all your clients, you need to position a firewall function behind each port of your network, behind each client and each application. This is theoretically possible but is complex and hefty to manage, might lack flexibility if you need to adapt your network to new business imperatives and will undoubtedly become costly at the end. So there again, although firewalls are indispensable to protect the communications between sites, they are not the best option to protect what’s inside your networks.So all in all, each of the existing solutions used as part of Zero Trust strategies are lacking some capabilities to efficiently provide Application Access Control at client level.
As we stated, by its very nature and purpose, DNS sees all traffic intents between clients and applications, domains, resources. DNS will serve all requests from any client toward any destinations, denying access to unwanted domains and sites for all clients with DNS Filtering. In any case, by default, DNS does not exploit the requesting client information to decide if the request should be served or not. And yet filtering DNS requests based on the requesting clients would complement traditional Zero Trust solutions to help them overcome their obvious limitations. The use of DNS allow listing at the client level will be applied early in the process, preventing the unwanted traffic to be sent across the network. It will differentiate internal and external applications without having to deploy any new security infrastructure on the network and can be done rapidly. It will differentiate all client types, users, machines, IoT and all the combinations of client-to-application traffic, wherever they are all located and regardless of the network (LAN, WAN, Wireless) between them.
Zero Trust does not rely on a single set of solutions or technologies. On the contrary, the more security layers, the stronger the security and protection of your Apps, Users and Data. Application Access Control in a Zero Trust framework can be easily activated by using EfficientIP DNS Client Query Filtering (CQF). This will complement your existing solutions by expanding the capability to filter access to any applications and resources at the client level leveraging DNS allow lists; making DNS your first line of defense.
When our goal is to help companies face the challenges of modern infrastructures and digital transformation, actions speak louder than words.
Explore content highlighting the value EfficientIP solutions bring to your network
To provide the best experiences, we and our partners use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us and our partners to process personal data such as browsing behavior or unique IDs on this site and show (non-) personalized ads. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Click below to consent to the above or make granular choices. Your choices will be applied to this site only. You can change your settings at any time, including withdrawing your consent, by using the toggles on the Cookie Policy, or by clicking on the manage consent button at the bottom of the screen.
We use cookies to enhance your browsing experience, serve personalized content, and analyze our traffic. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site.
