Fighting Email Spam with DNS Firewall

As volumes of good old fashioned spam decrease, purveyors of electronic junk mail have turned to more malicious forms of it to turn a quick buck. A favorite channel for delivering those pernicious payloads has been the Domain Name System (DNS) for the Internet.

Spam can be roughly classified by the size of its target audience. Old fashioned spam, such as pharmaceutical spam, try to get its targets to buy something — Viagra, for instance, or Rolex watches. The idea behind it is to cast as large a net as possible to rope in buyers.

Phishing spammers are like long-line fishermen. They bait their spam with a trusted source in hopes of hauling in victims with a connection to that source. For example, a spam message may be aimed at customers of Bank of America.

The spammer doesn’t know who on their mailing list has a BOA account. They just know there are lots of BOA customers on the Web so a substantially sized spam campaign should reach a respectable number of them.

Spear phishing is the narrowest of all spam campaigns. Typically, the spammer has obtained or compiled a list of email addresses that they know are linked in some way. It could be the members of corporate department or a government agency. Then they cleverly craft a message specifically tailored to the group.

Both phishers and spear phishers frequently embed malicious links in their spam aimed at directing anyone who clicks on them to a bandit website where they can infect a visitor’s computer, pry confidential information from them or both.

Over the years, firewall makers have made great strides in blocking spam at the network perimeter. However, spammers who can game DNS have become an increasing problem for firewalls. That’s because DNS — the system for associating domain names with IP addresses — is so highly trusted that network administrators rarely filter or redirect public DNS responses.

The increased exploitation of DNS by spammers has given rise to the DNS firewall. What’s attractive about this defense measure is not only can it be easy to implement but economical to set up, too, since most networks have a key component of the firewall in place: the DNS Resolver Server.

That server does the grunt work of tying domain names to IP addresses. By adding a dynamically updating list of malicious locations on the Internet to the server’s functions, pernicious activity can be blocked on a network. The server modification can be set up through a vendor or through the use of some scripts, good data sources and a consult with a DNS administrator.

DNS firewalls can be very effective because DNS is at the heart of most malicious software operations. For example, malware will use domain names to seek rendezvous points to receive new malicious payloads. They also use them to receive instructions from command and control servers operated by Web miscreants. A DNS firewall can identify those poisonous connections, block them and cripple any malware trying to use them.

Although DNS firewalls aren’t new, they don’t seem to have been able to make it on the radar screen of many network security professionals. That’s unfortunate because they can be very effective in thwarting Black Hat attacks on networks.

“By implementing this one simple layer of defense, enterprises can stymie over 80 percent of today’s malware and commensurately reduce their risk of information loss,” writes Rod Rasmussen, a founder of Internet Identity.

“While not a silver bullet,” he adds, “this approach is certainly going to be highly effective and should be considered an essential layer in any enterprise’s security posture.”

Written by John P Mello Jr

John Mello is a freelance writer who has written about business and technical subjects for more than 25 years. He is frequent contributor to the ECT News Network and his work has appeared in a number of periodicals, including Byte magazine, PC World, Computerworld, CIO magazine and the Boston Globe


  1. L.J. · January 16, 2013

    The DNS approach in fighting spam is so last century. Why use it, when there are so many alternatives that do a much better job? It’s like using candles for lighting – this was fine before electricity was invented but not anymore. Same with DNS – it’s simply a candle compared to the other weapons we have.

  2. Roberto Rodriguez · January 31, 2013

    Really, LJ? Enlighten me some more or introduce better techniques. I drop by here once in a while, hoping to get good ideas on how to better protect myself from all these types of e-mail scams. A friend of mine had to deal with identity theft when someone got hold of his credit card information. Then the phisher definitely went on a shopping spree. It’s a good thing that there’s very small credit limit left in his credit card, so he didn’t have to pay a lot. The credit card company, of course, asked too many requirements, and he got tired challenging the debit.

  3. · February 10, 2013

    I really was exploring for points for my own web site and located ur blog
    post, “Fighting email spam with DNS firewall”, do you
    really mind if I actually employ several of ur suggestions?
    Many thanks -Vaughn

  4. John P Mello Jr · February 11, 2013

    Be my guest. I’m glad you found the suggestions useful.

Leave A Reply