Control Requirement 5.7.3.2: Implementing DNS Firewalls for Enhanced Security

Control requirement 5.7.3.2 from the CAN/DGSI 104:2021 Rev 1 2024 standard emphasizes the need to implement a DNS firewall for outbound DNS requests to the Internet. This practice is essential for maintaining the security and integrity of your network.

Why DNS Firewalls Matter

DNS firewalls play a vital role in network security for several reasons:

Threat Prevention: DNS firewalls help prevent access to malicious domains, blocking threats before they can reach your network.

Traffic Filtering: They filter outbound DNS requests, ensuring that only legitimate traffic is allowed to pass through.

Monitoring and Logging: DNS firewalls provide detailed logs of DNS requests, helping you monitor and analyze traffic patterns to identify suspicious activities.

Compliance: Implementing DNS firewalls helps meet regulatory requirements and adhere to industry standards for data protection and network security.

How to Implement Effective DNS Firewall Solutions

To effectively implement DNS firewall solutions, follow these steps:

1. Assessment: Evaluate your network architecture and identify the points where DNS firewalls are needed. Determine the types of DNS requests that need to be controlled.

2. Configuration: Configure the DNS firewall with appropriate security rules and policies that align with your security objectives and compliance requirements. DNS filtering should be applied to all Internet DNS requests using one of the following methods:

• A DNS firewall bundled with the perimeter firewall, enabled and kept up to date.
• A free DNS resolver that supports filtering/firewalling configured on all devices (e.g., 9.9.9.9 or Quad9).
• A DNS firewall implemented on premises and kept up-to-date (e.g., Pi-Hole).

3. Deployment: Deploy the DNS firewall at the identified points and test the configuration to ensure it effectively controls the DNS requests and meets security requirements.

4. Monitoring: Continuously monitor the DNS firewall’s performance and DNS traffic. Regularly review and update the security rules to adapt to emerging threats and changes in the network environment.

5. Documentation: Maintain detailed documentation of the DNS firewall configuration, security rules, and monitoring procedures for future audits and security assessments.

Policy and Enforcement

Organizations must have a clear policy outlining the requirements for DNS firewall implementation. This policy must include:

Scope: Define the points in the network where DNS firewalls are needed and the types of DNS requests that need to be controlled.

Configuration Guidelines: Provide detailed instructions for configuring DNS firewalls, including security rules and policies.

Monitoring and Maintenance: Outline the procedures for monitoring DNS firewall performance and updating security rules.

Enforcement: Specify the consequences for failing to adhere to the policy, which may include disciplinary action.

Conclusion

Implementing DNS firewalls for outbound DNS requests is a vital control requirement that enhances an organization’s network security. By following this control requirement from the CAN/DGSI 104:2021 Rev 1 2024 standard and adhering to a clear policy, organizations can safeguard their data and systems, ensuring business continuity and compliance with industry standards. Contact us today to get certified!