How DNS blacklisting works?

Question

Let's say we have this network setup:

PC > Firewall > DNS Server

I was under the impression that the PC would attempt to access the DNS server but the firewall would instantly block the request because it has noticed that the domain being requested is in its blacklist.

Reading online however, it seems the initial request to the DNS server is actually allowed but when the DNS server returns the IP address of the domain, it's blocked and unable to reach the PC.

Why is it done like this or was I right initially and have completely misunderstood something?

I've seen many routers which operate this way `PC > DNS Server on the Router > final DNS Server`, so that would make it more feasible for the router to filter DNS queries. — 700 Software, Nov 11 '16 at 15:29
It depends where your DNS cache is. So there's the best place to do so. If you have DNS cache on firewall, then great, every home router has one. But if you have dedicated DNS cache for the company, there's good place as well. — Aria, Nov 11 '16 at 15:36

score 1 · Answer 1 · answered Nov 11 '16 at 15:40

It is usually not the case that the DNS request is simply blocked but instead the firewall (or even ISP) will try to send a valid DNS response back so that the client quickly gets back that the domain does not exist or that it resolves to server which shows a warning message about blocked access.

To do this the firewall need to somehow intercept the original DNS request. Since most clients simply use the DNS server provided by the firewall anyway directly or indirectly (i.e. firewall is the central DNS server for resolving IP external domains) it is often sufficient to just configure the server to return a response configured by the ISP instead of the real response. For clients which explicitly use different DNS servers any access to some site port 53 (i.e. DNS) could be intercepted and forwarded to the firewalls DNS server which then again sends the faked response.

How DNS blacklisting works?

1 Answers1