DNS Firewall

A DNS firewall, also known as protective DNS (PDNS), intercepts outbound DNS requests from a network. It compares the requested domain against threat intelligence feeds and blocks access to known malicious domains, preventing the device from connecting to dangerous sites.

CyberSecure Canada requires this to prevent malware infections and data exfiltration. Because almost all internet traffic relies on DNS, a DNS firewall for outbound DNS requests is highly effective at stopping ransomware command-and-control communications and phishing.

You meet the CyberSecure Canada 5.7.3.2 DNS firewall requirement by configuring your network gateways and endpoints to route all DNS lookups through a protective DNS filtering service that actively drops or redirects requests for known malicious domains.

While often used interchangeably, DNS filtering typically refers to blocking content categories like gambling or social media, whereas a DNS firewall specifically focuses on security by blocking malicious infrastructure. A secure web gateway (SWG) operates at the application layer, offering deeper inspection than DNS.

To fully implement protective DNS (PDNS), it should be deployed across multiple layers. The network gateway should redirect local DNS traffic, recursive resolvers should enforce policy, and endpoint agents should ensure a DNS firewall for remote users and BYOD is maintained off-network.

Threat actors use DoH and DoT to bypass standard DNS controls. Organizations must configure their network firewalls to block unauthorized DoH/DoT endpoints and use managed browsers or endpoint agents to force how to prevent DNS over HTTPS bypass.

For audits, maintain DNS firewall logging and reporting requirements that show the active blocking of threats. Evidence should include configuration screens of the protective DNS service and sample logs demonstrating that malicious domains are successfully blocked. Tools like WatchDog Security's Compliance Center can link this control to the specific artifacts (configs, log samples, review cadence) and keep them organized for audits.

Effective DNS sinkhole and blocklist management relies on using reputable, automated threat intelligence feeds rather than manual lists. Organizations should enable an allowlisting process so that any false positives can be quickly investigated and overridden.

Yes, most organizations use a third-party protective DNS service. You should evaluate features like threat intelligence integration, endpoint agent support, and robust DNS firewall logging and reporting requirements.

Organizations can test their DNS firewall by attempting to resolve benign test domains designed for security validation, usually provided by the PDNS vendor. This confirms the DNS firewall for outbound DNS requests is correctly intercepting and filtering traffic.

Auditors typically expect proof that outbound DNS is enforced (resolver settings, egress rules, agent rollout) plus logs showing blocked domains and periodic reviews. Tools like WatchDog Security's Compliance Center can map CSC-05-025 to required evidence, track gaps, and store time-stamped log samples and configuration screenshots for audit-ready reporting.

Coverage depends on knowing which endpoints, networks, and resolvers are in scope, then validating that they use the approved protective DNS path on- and off-network. Tools like WatchDog Security's Asset Inventory can help maintain an authoritative inventory and identity-to-device mapping so teams can verify rollout coverage and identify unmanaged assets that may bypass DNS controls.