Recommended Policy Configuration

Article author
Josh L
  • Updated

DNSFilter's policies are highly configurable, and scalable with the needs of your organization. In this article, we wanted to discuss baseline policy configurations that we recommend as a starting place for all organizations. We encourage our customers to regularly review configured policies within DNSFilter as your needs change and as we add new options.

Depending on your organization's environment, we have two best practice recommendations for a starting configuration:

 

Baseline Threat Protection Advanced Threat Protection
Botnet Botnet
Cryptomining Cryptomining
Malware Malware
Very New Domains New Domains
Phishing & Deception Phishing & Deception
Proxy & Filter Avoidance Proxy & Filter Avoidance
  Extra Settings: Block Uncategorized Sites
  Extra Settings: Parked Sites and Domains

*Note: If you choose Advanced Protection, turn on the categories under Extra Settings individually after applying baseline protection. Watch for tickets generated from users as well as our Query Log to decide if they should remain on. Security is always a balance between protection and usability. Your users need to have enough access to get their work done, in an environment that restricts them from accessing harmful content.

 

The baseline configuration will protect against most active threats by blocking malware and phishing content. The Very New Domains category also blocks domains registered in that last 24 hours that have a high probability of serving malicious resources.

The advanced configuration adds the New Domains, Uncategorized, and Parked categories. New Domains will block domains registered in the last 30 days and which have a high probability of serving malicious resources. Uncategorized will block domains that are unknown to DNSFilter by default. Parked will block domains that have boilerplate content and/or have "Under Construction" messaging.

 

A detailed explanation of each of these additional categories is below. Let’s start with some options to block newly seen domains by DNSFilter:

  • New Domains - Domains which have been registered in the last 30 days and which have a high probability of serving malicious resources
  • Very New Domains - Domains which have been registered in the last 24 hours which have a high probability of serving malicious resources.

 

*Note: For a domain to be categorized as New or Very New, it needs to be seen (resolved) by DNSFilter first. 

 

One additional option to further increase protection for newly registered domains but not yet seen (resolved) by DNSFilter is under the Extra Settings section:

 

  • Block Uncategorized Sites - This setting controls whether or not to block domains that the system has not classified (including newly-registered domains). It is off by default because many Content Servers and Content Distribution Networks (CDNs) are served from domains that have no web content to scan but are important to end user experience (Office Online documents, Dropbox uploads etc)

 

*Note: Because the Block Uncategorized Sites category can impact the user experience, we recommend turning it on individually after a policy is applied and monitoring results.

 

Another option that may be helpful for any resolved domain is blocking parked domains:

 

  • Parked Sites & Domains - These are sites which are not displaying legitimate content, but instead are showing "Parked" pages with common search terms, "Under Construction" messages, or a list of advertisements. In some cases, these may be newly registered domains. This setting is off by default.

 

Lastly, no security vendor can guarantee 100% protection, so we encourage organizations to use a layered approach for security which includes security awareness training.

 

 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.