Enterprises needing network-wide protection against malware and phishing
Resolver Based Solutions
DNS Firewall: Threat Intelligence at the DNS Layer
Block access to malicious domains, phishing sites and command-and-control infrastructure at the DNS resolver level before connections are ever established. The DNS Firewall uses continuously updated threat intelligence feeds delivered through Response Policy Zones (RPZ) to protect every user, application and protocol on your network.
Key Capabilities
What this solution delivers
Response Policy Zones (RPZ)
Threat intelligence data is packaged into DNS Response Policy Zones and consumed by the resolver in real time. When a user attempts to access a known malicious domain, the resolver intercepts the query and returns a block response, redirect or warning page instead of resolving the malicious destination.
Real-Time Threat Intelligence
RPZ feeds are updated continuously (as frequently as every minute) from multiple curated threat intelligence sources. This ensures that newly discovered malicious domains, phishing campaigns and ransomware infrastructure are blocked within minutes of identification.
Malware and Ransomware Protection
The DNS Firewall blocks connections to known malware distribution sites, ransomware payment portals, exploit kit landing pages and drive-by download domains. This provides a network-level layer of protection that works regardless of the endpoint's own security software.
Phishing and Brand Impersonation Blocking
Domains used for phishing campaigns, credential harvesting and brand impersonation are identified through threat intelligence and blocked at the DNS layer. This protects your users from social engineering attacks before they reach the browser.
Command-and-Control Disruption
Malware already present on a network often uses DNS to communicate with command-and-control (C2) servers. The DNS Firewall disrupts these communications by blocking resolution of known C2 domains, containing the infection and preventing data exfiltration.
Logging, Reporting and Alerting
Every blocked query is logged with the domain, client IP, timestamp, threat category and the action taken. Reports provide visibility into the threat landscape affecting your network. Alerts can be configured for high-severity blocks or unusual patterns.
Technical Details
How it works
How RPZ Works
Response Policy Zones are special DNS zones that contain policy rules rather than standard DNS records. When a query matches a rule in the RPZ, the resolver applies the configured action instead of performing normal resolution. Actions include returning NXDOMAIN (domain does not exist), redirecting to a warning page (walled garden), dropping the query silently or logging and allowing the query (passthrough for monitoring). RPZ was invented at ISC and first implemented in BIND. It is an open, vendor-neutral standard supported by all major DNS resolver platforms.
Threat Intelligence Sources
The DNS Firewall consumes threat intelligence feeds from multiple curated sources covering malware distribution domains, ransomware infrastructure, phishing sites, botnet C2 domains, domain generation algorithm (DGA) outputs, cryptomining domains and newly registered domains with suspicious characteristics. Feeds are delivered via secure zone transfer (AXFR/IXFR) and updated continuously.
Local Policy Overrides
Your organisation can maintain a local RPZ that takes precedence over external feeds. This allows you to whitelist domains that may be falsely flagged, blacklist internal threats specific to your environment, and enforce acceptable use policies (such as blocking categories of content during business hours).
Deployment Architecture
The DNS Firewall is deployed as an enhancement to your recursive resolver (either Sokomi's Secure Resolver or your existing infrastructure). RPZ feeds are delivered via DNS zone transfer to the resolver, which applies the policies inline during the resolution process. There is no separate appliance, proxy or agent to deploy. Any user, application or device that uses DNS will be protected.
Performance Impact
RPZ lookups are performed in memory and add negligible latency to the resolution process (typically less than 1ms). Modern resolvers can handle millions of RPZ entries without performance degradation. The DNS Firewall does not inspect packet payload or perform deep packet inspection, keeping it lightweight and scalable.
NIS2 and Compliance
The DNS Firewall supports NIS2 compliance by providing a documented, auditable layer of threat protection at the network level. Blocked query logs provide evidence of threat detection activity, and the system supports incident reporting workflows required under the directive. Integration with MonitoNIC provides the real-time alerting and historical analysis needed for incident response.
Use Cases
Who benefits from this solution
Organisations with large user populations where endpoint security alone is insufficient
ISPs and managed service providers offering protective DNS to their customers
Educational institutions blocking access to malicious and inappropriate content
Government networks requiring threat intelligence-driven DNS filtering
Any organisation seeking to contain malware by disrupting C2 communications
Frequently Asked Questions
Common questions about this solution
A traditional network firewall operates at the IP/TCP/UDP layer, inspecting packet headers and sometimes payload. A DNS Firewall operates specifically at the DNS resolution layer, blocking access to malicious domains before any network connection is established. This means it catches threats that bypass traditional firewalls, such as encrypted HTTPS connections to phishing sites or malware using legitimate cloud hosting. The two are complementary, not competing, security controls.
The default action is to return an NXDOMAIN response, making it appear that the domain does not exist. Alternatively, the resolver can redirect the user to a warning page (walled garden) that explains why the domain was blocked and provides instructions for reporting false positives. The action is configurable per policy and per threat category.
Your local RPZ whitelist takes precedence over external threat intelligence feeds. If a legitimate domain is incorrectly blocked, you can add it to your whitelist immediately. Sokomi monitors false positive reports across all deployments and works with threat intelligence providers to resolve them. A well-curated feed typically has a false positive rate below 0.01%.
Yes. Threat intelligence feeds include known DGA (Domain Generation Algorithm) outputs. Additionally, AI-based analysis of query patterns can identify DGA-like behaviour (high volume of queries to random-looking domains) and flag it for investigation, even for previously unseen DGA outputs.
Yes. The DNS Firewall applies RPZ policies within the resolver, after the encrypted query has been decrypted. This means it works seamlessly with both DNS-over-TLS and DNS-over-HTTPS. The encryption protects the query from external observers; the firewall protects the user from malicious destinations. The two are complementary.
Protect your network at the DNS layer
Connect with our team to deploy a DNS Firewall that blocks malware, phishing and C2 traffic before connections are ever established.