New Security Threat Category: Cryptomining

Domains which host resources related to browser-based cryptocurrency mining (Cryptomining) can now be blocked as a Security Threat in the Dashboard.

2018-06-01 14_55_33-Dashboard _ DNSFilter.png

Mining cryptocurrency has security and resource utilization implications that are generally undesirable to networks and systems; such implications include, but are not limited to the utilization of:

  • GPU
  • CPU
  • Bandwidth
  • Electricity

Browser-based Cryptomining continues to grow in popularity by way of embedding in websites and applications, making it transparent and unauthorized to the enduser.

Policies which currently have Malware blocked in the Dashboard now have this setting turned on automatically.

DNS-over-TLS Support

DNS-over-TLS is now supported on all servers in all locations.

Our upcoming Windows Agent and LAN Proxy will ship with DNS-over-TLS support as an option, but will not be enabled by default until further enhancements* are made.

Refer to our KB article for more information about enabling DNS-over-TLS support in various DNS forwarder/stub resolver software.

* User Agent and LAN Proxy Enhancements refer to:

  • Implementation of TCP_FastOpen in Windows 10 (User Agent)
  • Review of RFC 7828 (User Agent + LAN Proxy)
  • Pending release of OpenSSL 1.1.1 /w TLS 1.3 (Server + Clients)

Integrated Feedback and Roadmap Features

We've integrated a Feedback and Roadmap system into the Dashboard.

The Product Roadmap section shows:

  • Planned (Confirmed Plan)
  • In Progress (Currently In Development)
  • Complete (Released)

From this page, you can one-click upvote for a specific feature.

newroadmap.png

The Feature Request section shows both Planned and Unplanned feature requests which have already been proposed.

From this page, you can add comments to existing feature requests, create your own request, or upvote requests.

featurerequest.png

Scheduled Filtering Policies (Time-of-Day Filtering)

It's now possible to schedule multiple filtering policies in the same day/week.

Some details:

  • A policy must have a minimum duration of 15 minutes
  • A policy can only start in 15-minute intervals (:00/:15/:30/:45)
  • If a domain's TTL exceeds transition point of the next policy, it'll automatically be reduced to the transition point, minus 1 second.
  • Any areas left blank will result in No policy (no security categories either)!
  • Chrome and Firefox require a minimum 60-second TTL, so the transition between policies have a theoretical delay of 60 seconds in real-world applications.

The calendar interface supports drag-n-drop and click-to-expand for easy implementation and changes.

Or, choose an all-day policy for specific days.

After creating your filtering schedule, select it from the Networks --> Policies (tab) section of the Dashboard. Filtering Schedules are denoted by the calendar icon.

CNAME Awareness in Whitelist

Adding a domain to the Whitelist didn't always result in full access to the desired website/service; domains are often CNAMEs, and the target of the CNAME is also required to be whitelisted to load the page and associated content.

When adding a domain to the whitelist, DNSFilter now automatically checks if the domain is a CNAME and requires adding extra domains; the administrator is then notified and provided the option to add the domains.

While this doesn't solve the problem of wanting to whitelist all domains which load content on a specific webpage, it certainly helps us to address a common issue when Whitelisting domains.

Domain Lookup Tool Enhancements

Our Domain Lookup Tool previously only served two functions:

  • Print a domain's categories
  • Report if a domain's categories were inaccurate

The Domain Lookup Tool has the following new features:

  • Prints the Policy name if the domain is on a Blacklist or Whitelist of a Policy.
  • Report if a domain is a known threat, with the ability to provide additional context.

Real-Time Query Log, Reporting: Export CSV

Query Log

This feature allows searching all DNS queries for up to 72 hours; optionally, for specific domains or response types (blocked or allowed).

This allows for much easier troubleshooting for an array of circumstances and use cases.

This feature can be found in the Tools section of the Dashboard.

This release only allows searching of domain names (google.com) and not specific subdomains (accounts.google.com), but a subsequent update will allow this.

Reporting: Export CSV

The following Reports can now be exported to a CSV file:

  • Top Requests
  • Threats
  • Query Log (Tools)

Customizable Bypass Password, New Reporting Charts, Anycast Block Pages

Customizable Bypass Password

One of our most requested enhancements.

Customers can now set a custom bypass password at the Block Page Policy level. Previously this was set at the network level, and only a static password was offered.

New Charts

Part of a series of updates to the Reporting system. We've updated our charts library, which is more aesthetically pleasing, contextual, and more importantly, accurate.

AnyCast Block Pages

Although we have DNS servers all over the world, our block pages were only hosted in a single location in Dallas, Texas, USA. This meant the pages would be slower to load for European customers, and were a single point of failure being in a single data center.

Our block page IP address is now an Anycast address, with locations in the following locations:

  • New Jersey, NJ
  • Las Vegas, NV
  • Roost, Luxembourg

European customers will now experience faster block page rendering, and our block pages are now fully redundant.

SSL Certificate, External Block Pages

It's been a while since our last update, and your patience have not been in vane.

SSL Root Certificate

We're pleased to release our most popular feature request, an SSL Root Certificate.

By installing the certificate on a device, block pages loading over HTTPS can be viewed, resulting in less confusion and education for endusers, in addition to the added functionality of using the proxy bypass option.

With SSL Root certificate

Without SSL Root certificate

The certificate can be downloaded in the new Tools -> SSL Certificate Section of the Dashboard, which also has embedded installation instructions for Windows, MacOS, and Linux (Debian/Ubuntu) and link to our KB article for deploying the certificate using Active Directory.

External Block Pages (302 Redirect)

We've added the option to host your own block page, which is triggered by a 302 redirect.

Blocks occurring over HTTPS will only be redirected if the SSL certificate is installed, otherwise a certificate mismatch error will appear as expected.

Block Page Policies, Payment Status

Block Page Policies

Previously, Block Page settings were only configurable at the Network level; this meant customers wanting to have the same Block Page logo and/or behavior had to repeatedly configure the same settings for each Network.

Block Page settings can now be configured as a separate entity under Policies, which allows customers to use the same Block Page settings for numerous networks.

Existing Block Page settings have been migrated to the new Policies --> Block Pages tab, and existing customers will need to consolidate as necessary.

The Block Page policies are then assigned in the Networks section.

Block Page Bypass remains a per-network option, as our survey results overwhelmingly showed that customers prefer to enable this feature on a per-network basis.

Payment Status of invoices is now available in the Organization section in the Billing Info tab.

No published changelogs yet.

Surely DNSFilter will start publishing changelogs very soon.

Check out our other public changelogs: Buffer, Mention, Respond by Buffer, JSFiddle, Olark, Droplr, Piwik Pro, Prott, Ustream, ViralSweep, StartupThreads, Userlike, Unixstickers, Survicate, Envoy, Gmelius, CodeTree