Threat shield DNS

Threat shield DNS#

Threat shield DNS uses Adblock which blocks any request to domains considered malicious. The service can load community-maintained blocklists or use Enterprise feeds provided by Nethesis and Yoroi a leading company focused on CyberSecurity and member of Cyber Threat Alliance.

Please note that to access the Nethesis and Yoroi blocklists, the unit must have a valid extra entitlement for this service.

Configuration#

Note

Please use Threat shield DNS only if you are not already using the FlashStart service. Both services operate at the DNS level and cannot be used together. The UI prevents enabling them simultaneously to avoid conflicts.

The service is disabled by default, to enable it navigate to the Threat shield DNS page under the Security section. Access the Settings tab and activate the Status switch.

When the service is enabled, the Blocklist sources tab will display all available blocklists. You can enable or disable each blocklist by using the switch on the right side of the list. Enabled blocklists will be automatically updated at regular intervals.

To specify on which zones the service should be active, select them in the Force DNS redirection on these zones combobox.

Redirected ports allows you to specify which ports should be redirected to Threat shield DNS service.

Community blocklists#

Community blocklists are sourced from community contributors and block various domains related to: ads, malware, spam, tracker, explicit sexual content, piracy and so on. NethSecurity makes them available as they are.

Community lists do not provide a standardized “Confidence” metric, therefore the UI shows their confidence as “Unknown”. As a practical heuristic, when the list name contains a severity or trust indicator (e.g. “lvl 1”, “level 1”), it generally denotes the lowest false positive rate and the highest confidence; conversely, higher indicated levels (e.g. “lvl 2”, “lvl 3”, “lvl 4”) typically imply lower confidence and a higher risk of aggressive or incorrect entries. Naming conventions vary and not all community providers include such indicators, so always review a community list’s contents and purpose before enabling it in production. The type of usage license may vary depending on the provider, so if the use is not personal, you may need to inquire with the provider.

Community lists maintenance

Each blocklist is maintained by its specific provider. NethSecurity already includes the URLs for downloading the feeds, which are valid at the time of the release. However, because these URLs are hard-coded, if the provider changes them, some blocklists may no longer be downloadable.

Enterprise blocklists#

Subscription required

This feature is available only if the unit has a valid Community or Enterprise subscription.

Enterprise blocklists are specifically focused on security and offer several advantages over community-maintained blocklists:

  1. Quality and accuracy: Enterprise blocklists, such as the ones provided by Nethesis and Yoroi, are curated and maintained by reputable cybersecurity companies. These companies have dedicated teams that continuously monitor and update the blocklists to ensure they are accurate and effective in blocking malicious traffic. This results in a higher level of quality and accuracy compared to community-maintained blocklists, which may not receive the same level of attention and updates.

  2. Timeliness: Enterprise blocklists are frequently updated to include the latest threats and malicious IP addresses. Cybersecurity companies like Nethesis and Yoroi actively track emerging threats and promptly add them to their blocklists. This ensures that your system is protected against the most recent and evolving threats.

  3. Reduced false positives: False positives occur when legitimate traffic is mistakenly blocked. Enterprise blocklists are designed to minimize false positives by carefully curating and verifying the listed IP addresses and hostnames. The companies behind Enterprise blocklists have robust processes in place to ensure that only malicious entities are included in the blocklists. This reduces the chances of legitimate traffic being blocked, minimizing disruptions to your network or services.

  4. Enterprise support: Enterprise blocklists often come with additional support and services tailored for enterprise environments. This includes access to technical support, documentation, and integration assistance. If any issues or questions arise while using the Enterprise blocklists, you can rely on the support provided by the cybersecurity companies to help you address them effectively.

Confidence#

Enterprise blocklists include a “Confidence” score which is shown in the UI. The score is expressed as a value from 1 to 10 and represents the provider’s assessment of the list quality: higher values indicate higher confidence and a lower likelihood of false positives. This “Confidence” metric is available only for Enterprise lists; Community lists are presented “as is” and display “Unknown” for confidence.

Yoroi and Nethesis blocklists are Enterprise blocklists. These lists will be listed only if the unit has a valid Enterprise or Community subscription and a valid entitlement for the Threat Shield service.

Filter bypass#

Some hosts or subnets may need to bypass Threat shield DNS filtering. To configure filter bypass, navigate to the Filter bypass tab of Threat shield DNS. Use the Add bypass button to add a new address to the list. The address can be a valid IPv4/IPv6 address with optional CIDR notation.

Local allowlist#

To allow specific domains that may be included in blocklists, you can navigate to the Local allowlist tab of Threat shield DNS. Use the Add domain button to add a domain to the list; you can add a description to the domain to help you remember why it was added.

Domains in the allowlist take priority over Blocklists and the Local blocklist

Local blocklist#

To block specific domains not included in the blocklists, you can navigate to the Local blocklist tab of Threat shield DNS. Use the Add domain button to add a domain to the list; you can add a description to the domain to help you remember why it was added.

Warning

The DNS resolution for the names listed in the blocklist will also affect the unit itself

Check if a domain is blocked#

If you are experiencing issues with domain resolution and want to check whether a specific domain is blocked, you can perform a query directly from the local terminal.

Use the following command to check a domain:

/etc/init.d/adblock query <domain>

For example:

root@nethsecurity8:~# /etc/init.d/adblock query baddomain.com

The output might look like this:

:::
::: domain 'baddomain.com' in active blocklist
:::
  + baddomain.com

:::
::: domain 'baddomain.com' in backups and black-/whitelist
:::
  + adb_list.adult.gz             baddomain.com

This output shows if the domain is currently blocked by any active blocklists. In this specific example, the domain baddomain.com is part of the category adult, as indicated by adb_list.adult.gz. This helps you identify which category or list caused the domain to be blocked.

Advanced configuration#

When Threat shield DNS is enabled:

  • A new category source file is generated based on the unit registration and entitlement.

  • All DNS queries are redirected to the local machine.

  • Adblock is configured to use the new category source file and will be started automatically.

Even if not recommended, it’s possible to use Adblock without Threat shield DNS. For more detailed configuration options, please refer to the developer manual.