Using DNS for Security – Comodo Dome Shield

I’ve written a number of times about DNS offerings that allow for increased security.  Blocking you from going to a website that does a drive-by download of malware, blocking phishing sites, blocking your IoT devices from talking to a BOT command-and-control domain, etc. While I think that we are moving to a more comprehensive alternative of whole-home internet security devices, a malware-blocking DNS service remains useful for many of us.  In particular, when you want to increase security without changing hardware or you can’t get the new hardware solutions to work.  I wrote about my disaster with CUJO, and I found one case where EERO’s new EERO Plus offering won’t work.  I’ll write about my EERO experience later, but for those considering buying one to use EERO Plus beware that isn’t an option if your Internet Provider uses PPPoE.  CenturyLink customers, this means you.  You can use EERO in Bridge Mode, but that precludes the use of EERO Plus.  So in my CenturyLink-connected house I’m trying a new option, Comodo Dome Shield.

Back in 2012 I first wrote about using DNS to block malware using OpenDNS and Norton Connectsafe.  I’d already moved away from OpenDNS since they reserved most of their malware-blocking for the enterprise offering.  Norton Connectsafe remains an option for a DNS that blocks domains based on Norton Safe Web’s scanning for malicious sites.  Comodo also has their free Secure DNS, that is an alternative to Norton Connectsafe.  Recently I discovered that Comodo had introduced an Enterprise-oriented DNS service that includes full URL filtering capability.  And they were offering it for free.

There are two advantages to using Comodo Dome Shield.  The first is transparency.  Norton Connectsafe and Comodo Secure DNS are pretty much black boxes, where you can’t tell what subcategories of malicious domains they are protecting you from.  While Comodo Dome Shield offers a default security rule for blocking phishing/malware/spyware that is also somewhat of a black box, you can create your own rule and choose the subcategories you want protection against.  For example, it isn’t clear the default rule blocks DDoS sources.  But by creating your own rule you can make sure those are blocked.  You can also block addresses for known spammers, for example.

The second advantage of Comodo Dome Shield is that it give you complete control over blocking access to non-security related domains.  Want to block access to Gambling sites, you can do that with a content rule.  I don’t have a reason to block access other than for security, but I did use a content rule to block access to so-called “Parked Domains”.  These are domains that have fallen into disuse and usually are just landing pages with links to other pages.  In my experience the links on those parked domains all too often lead to malicious sites.  And since the control of the parked domain is often questionable, the odds that it is taken over and used to distribute malware seems much higher than with actively maintained domains.

The disadvantage of blocking more domains is that the odds of you blocking a safe and useful domain go up.  For example, there will be lag between a parked domain being claimed and used legitimately and during that lag (if you are blocking parked domains) you won’t be able to access the site.  Or, it is pretty common for a domain to be flagged as sending SPAM even though that was a temporary situation.  It can be very difficult for someone to get themselves removed from a spam blacklist once they are added, so if you block domains classified as spammers be prepared to lose access to some pretty mainstream sites from time to time.  That’s the reason the default security rule, as well as Norton Connectsafe, don’t block those domains.  So use your power to block broader categories with caution.

Because Comodo Dome Shield is aimed at enterprises it is a bit difficult to set up and manage.  You have to sign-up, and (if you have a dynamic DNS address) run an agent on a machine on your network that is always on.  The agent keeps Comodo informed of your network’s current external IP address so it can map requests to your filters instead of just using the defaults.  You create rules for security and content blocking, and associate them with a policy for your network.  You then point your router at Comodo’s DNS servers and your policy is enforced.  Comodo Dome Shield also provides comprehensive reporting so you can see what all the devices on your network are accessing or being blocked from accessing, and it can be an eye-opener.  As an enterprise product, Comodo Dome Shield has other capabilities that I haven’t explored, such as using agents on roaming devices to enforce domain access rules.

Many of you are thinking, well that’s a lot of work when I just want fire-and-forget protection against malicious domains. It was the more powerful capabilities of Comodo Dome Shield that attracted me, but Comodo Secure DNS or Norton Connectsafe are more appropriate for most people.  Certainly if I didn’t like playing around with security offerings as a hobby I’d just point my DNS at one of the secure DNS offerings and be done with it.

In most cases you should be using a secure DNS to protect your home network.  While that is built-in to the new generation of security-centric networking devices, you can easily set up your router to use one.  And in this era of IoT devices, where you can’t run security software on the device, the extra layer of protection of a secure DNS is one of the few things you can do to protect your home.




This entry was posted in Computer and Internet, Security and tagged , , , . Bookmark the permalink.