Re: DNS Filtering

[Alan Amesbury <amesbury () OITSEC UMN EDU>]

On 11 Sep 20, at 12:52, Barton, Robert W. <bartonrt () LEWISU EDU> wrote:

> We're looking to add DNS filtering to our tool set here.  We know that filtering of any kind can be controversial, 
> even for known security specific issues, in education.  Of those that have implemented DNS filtering, how did you 
> introduce the solution and gain acceptance?

Everything we do is driven by our stated policies.  We use BIND's RPZ capabilities to selectively poison demonstrably 
malicious domains.  Acceptance hasn't ever been a problem because the poisonings are done in direct response to a 
security problem, and people seem to generally accept that.  Our policy permits this because it's a direct response to 
a security event or events.

We do not have a policy that states we filter domains in advance of a security event or other clearly demonstrable need 
to filter it, so our filtering (by way of poisoning) is done sparingly.  People seem to generally accept this because 
our policy pretty clearly describes the actions we're likely to take.


-- 
Alan Amesbury
Security Analyst | University Information Security (UIS)
University of Minnesota | umn.edu | 612-625-8810
Information Security is a shared responsibility. Learn more at: https://it.umn.edu/what-security-incident

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community