Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?

openit

Hey there,

I am just wondering to know if need to use some services like OpenDNS or Dyn while we have firewall with IDS/IPS ?

Following is the snap for IDS activity on Firewall :

As I see we can block or control traffic with OpenDNS or Dyn services, which can be done with our firewall, so do we need that ?

Other thought in my mind is "after going through several threads in different places", OpenDNS will add one more layer to block unwanted or malicious traffic along with Firewall.

If good to have one of this, as I am seeing OpenDNS is commercial, how about Dyn service ? which seems to be free (is that free for commercial ?).

Thanks

scottalanmiller

Blocking traffic is the wrong way to think of it. OpenDNS can't block anything. It stops internal users from resolving things that you don't want them to resolve.

openit

@scottalanmiller said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

Blocking traffic is the wrong way to think of it. OpenDNS can't block anything. It stops internal users from resolving things that you don't want them to resolve.

I see. I meant for blocking any malicious websites (say, source of ransomware web links etc), are you saying it's wrong way due to any false-positive cases or may affect functionality of business resources ?

Just thought of adding one more layer if okay/possible.

scottalanmiller

It's a fine tool to use, but don't think of it as blocking. Users can still get to sites if you use s DNS tool. It just takes more work. It's different than blocking.

Deleted74295

A DNS level approach is very resource efficient because your gateway box does no heavy lifting. So you gain a lot of security without affecting performance.

scottalanmiller

@Breffni-Potter said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

A DNS level approach is very resource efficient because your gateway box does no heavy lifting. So you gain a lot of security without affecting performance.

Is that true? DNS requests still go out and fail, causing traffic on the router and delays for the users. Blocking on the router is actually less resource intensive because the router blocks the traffic entirely.

Dashrender

@scottalanmiller said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

@Breffni-Potter said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

A DNS level approach is very resource efficient because your gateway box does no heavy lifting. So you gain a lot of security without affecting performance.

Is that true? DNS requests still go out and fail, causing traffic on the router and delays for the users. Blocking on the router is actually less resource intensive because the router blocks the traffic entirely.

Yeah, but what traffic would you be blocking? A specific DNS domain request? That's something I've never heard of before - so really, as Scott was eluding to, there would be no change at the DNS level.

scottalanmiller

@Dashrender said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

@scottalanmiller said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

@Breffni-Potter said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

A DNS level approach is very resource efficient because your gateway box does no heavy lifting. So you gain a lot of security without affecting performance.

Is that true? DNS requests still go out and fail, causing traffic on the router and delays for the users. Blocking on the router is actually less resource intensive because the router blocks the traffic entirely.

Yeah, but what traffic would you be blocking? A specific DNS domain request? That's something I've never heard of before - so really, as Scott was eluding to, there would be no change at the DNS level.

You'd block sites completely, not just requests to look for those sites.

Dashrender

@scottalanmiller said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

@Dashrender said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

@scottalanmiller said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

@Breffni-Potter said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

A DNS level approach is very resource efficient because your gateway box does no heavy lifting. So you gain a lot of security without affecting performance.

Is that true? DNS requests still go out and fail, causing traffic on the router and delays for the users. Blocking on the router is actually less resource intensive because the router blocks the traffic entirely.

Yeah, but what traffic would you be blocking? A specific DNS domain request? That's something I've never heard of before - so really, as Scott was eluding to, there would be no change at the DNS level.

You'd block sites completely, not just requests to look for those sites.

so? The DNS request would still happen. Unless the firewall is looking inside the DNS queries, or the onsite DNS server is setup as authoritative for those domains and responding with access denied (not really but you know what I mean)

scottalanmiller

@Dashrender said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

@scottalanmiller said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

@Dashrender said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

@scottalanmiller said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

@Breffni-Potter said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

A DNS level approach is very resource efficient because your gateway box does no heavy lifting. So you gain a lot of security without affecting performance.

Is that true? DNS requests still go out and fail, causing traffic on the router and delays for the users. Blocking on the router is actually less resource intensive because the router blocks the traffic entirely.

Yeah, but what traffic would you be blocking? A specific DNS domain request? That's something I've never heard of before - so really, as Scott was eluding to, there would be no change at the DNS level.

You'd block sites completely, not just requests to look for those sites.

so? The DNS request would still happen. Unless the firewall is looking inside the DNS queries, or the onsite DNS server is setup as authoritative for those domains and responding with access denied (not really but you know what I mean)

Yes, if you don't have DNS limiting internally, which you can as well.

Deleted74295

@scottalanmiller said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

@Breffni-Potter said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

A DNS level approach is very resource efficient because your gateway box does no heavy lifting. So you gain a lot of security without affecting performance.

Is that true? DNS requests still go out and fail, causing traffic on the router and delays for the users. Blocking on the router is actually less resource intensive because the router blocks the traffic entirely.

But how does that work with processing lists of URLs? Hundreds of thousands of URLs in a black list (potentially)

Dashrender

@Breffni-Potter said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

@scottalanmiller said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

@Breffni-Potter said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

A DNS level approach is very resource efficient because your gateway box does no heavy lifting. So you gain a lot of security without affecting performance.

Is that true? DNS requests still go out and fail, causing traffic on the router and delays for the users. Blocking on the router is actually less resource intensive because the router blocks the traffic entirely.

But how does that work with processing lists of URLs? Hundreds of thousands of URLs in a black list (potentially)

I don't understand the question. Hundreds of thousands of root URLs are nothing for modern router/firewall to search through. Though really filtering should be done in it's own appliance, not in the firewall itself - if you are to agree with JB and Scott on this point So you'll have dedicated resources that won't affect the firewall itself.

Deleted74295

@Dashrender said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

@Breffni-Potter said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

@scottalanmiller said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

@Breffni-Potter said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

A DNS level approach is very resource efficient because your gateway box does no heavy lifting. So you gain a lot of security without affecting performance.

Is that true? DNS requests still go out and fail, causing traffic on the router and delays for the users. Blocking on the router is actually less resource intensive because the router blocks the traffic entirely.

But how does that work with processing lists of URLs? Hundreds of thousands of URLs in a black list (potentially)

I don't understand the question. Hundreds of thousands of root URLs are nothing for modern router/firewall to search through. Though really filtering should be done in it's own appliance, not in the firewall itself - if you are to agree with JB and Scott on this point So you'll have dedicated resources that won't affect the firewall itself.

How does that make sense? You have a bog standard router, how does it have dedicated resources?

Dashrender

@Breffni-Potter said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

@Dashrender said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

@Breffni-Potter said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

@scottalanmiller said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

@Breffni-Potter said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

A DNS level approach is very resource efficient because your gateway box does no heavy lifting. So you gain a lot of security without affecting performance.

Is that true? DNS requests still go out and fail, causing traffic on the router and delays for the users. Blocking on the router is actually less resource intensive because the router blocks the traffic entirely.

But how does that work with processing lists of URLs? Hundreds of thousands of URLs in a black list (potentially)

I don't understand the question. Hundreds of thousands of root URLs are nothing for modern router/firewall to search through. Though really filtering should be done in it's own appliance, not in the firewall itself - if you are to agree with JB and Scott on this point So you'll have dedicated resources that won't affect the firewall itself.

How does that make sense? You have a bog standard router, how does it have dedicated resources?

You buy dedicated resources.

The consensus around these parts is that those all in devices are poop. The SonicWalls, WatchGuard, etc - these devices are often underpowered and cause the internet to be slow due to lack of resources to run the functions that are sold with the device.

This is why others around here push that IF YOU REALLY NEED these functions, then buy a dedicated box (or run a VM) for that function.

scottalanmiller

@Breffni-Potter said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

@scottalanmiller said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

@Breffni-Potter said in Do we need Dyn or OpenDNS if we have firewall with IDS/IPS and if so, how about Dyn free ?:

A DNS level approach is very resource efficient because your gateway box does no heavy lifting. So you gain a lot of security without affecting performance.

Is that true? DNS requests still go out and fail, causing traffic on the router and delays for the users. Blocking on the router is actually less resource intensive because the router blocks the traffic entirely.

But how does that work with processing lists of URLs? Hundreds of thousands of URLs in a black list (potentially)

I suppose if you are still allowing and getting lookups but only then blocking and put that on your firewall instead of on the proxy, then that would be a small hit.