Educause Security Discussion mailing list archives
Re: DNS Filtering
From: Alan Amesbury <amesbury () OITSEC UMN EDU>
Date: Mon, 21 Sep 2020 12:21:52 -0500
On 11 Sep 20, at 12:52, Barton, Robert W. <bartonrt () LEWISU EDU> wrote:
We're looking to add DNS filtering to our tool set here. We know that filtering of any kind can be controversial, even for known security specific issues, in education. Of those that have implemented DNS filtering, how did you introduce the solution and gain acceptance?
Everything we do is driven by our stated policies. We use BIND's RPZ capabilities to selectively poison demonstrably malicious domains. Acceptance hasn't ever been a problem because the poisonings are done in direct response to a security problem, and people seem to generally accept that. Our policy permits this because it's a direct response to a security event or events. We do not have a policy that states we filter domains in advance of a security event or other clearly demonstrable need to filter it, so our filtering (by way of poisoning) is done sparingly. People seem to generally accept this because our policy pretty clearly describes the actions we're likely to take. -- Alan Amesbury Security Analyst | University Information Security (UIS) University of Minnesota | umn.edu | 612-625-8810 Information Security is a shared responsibility. Learn more at: https://it.umn.edu/what-security-incident ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- DNS Filtering Barton, Robert W. (Sep 11)
- Re: DNS Filtering Alan Amesbury (Sep 21)
- <Possible follow-ups>
- Re: DNS Filtering Mark Picone (Sep 21)