If you are having trouble accessing this website or parts of it, please call 1-800-832-0034 or email [email protected] and we will provide you with assistance.
 

BLOG

Resources for Educators
& Professionals

 

Why DNS Blackholing Belongs in the Cybersecurity Classroom

by  Dr. Gene Lloyd     Mar 27, 2026
dns-blachole

Keeping a network secure in an ever-changing Internet landscape is a difficult task for anyone working in the cybersecurity arena. The constant changes in technology and defensive strategies require experts to remain vigilant in their efforts to protect networks and systems under their charge. This is equally important and challenging for higher education professors who need to educate their students on a wide range of available methodologies because there are many different levels of cybersecurity positions in the workforce. Every student will not graduate with job offers from large corporations managing security for tens of thousands of devices. Some will invariably end up in small companies where security needs will be greatly pared back in comparison to larger organizations. This necessitates professors to teach a variety of methods to secure networks in different environments. 

When Traditional Security Measures Become Overkill 

It can be said that every network does not need every available security device. It is overkill in many situations because configuring firewalls, intrusion detection systems, demilitarized zones, and the myriad other options could actually clutter the network and create more work for devices and employees. Cybersecurity professors often promote the idea of utilizing firewalls to block nefarious traffic, as well they should, and some, including myself, have also pushed the narrative of whitelisting (seen in one of my earlier articles) to limit internet access to a handful of trusted locations. We also have methods that propose blocking all the IP addresses of specific nations where a large amount of malware and hacking activity has historically originated. All of these are great ideas that should continue to be taught to students. They need to understand the many different capabilities available so they can choose the best one in different scenarios. 

The Limits of Firewall-Based Blocking 

The challenge with using the firewall for blocking large amounts of IP addresses is that the firewall must work overtime to inspect every packet and compare it against the block list. This is what firewalls are designed to do, and it is not typically a problem if the right equipment is available. A block list of 100 IPs is easily managed by even the smallest firewalls, but bump that list up to 5,000 or more ranges to block a complete country, and the smaller firewalls will begin to slow down the network. This level of blocking requires powerful firewalls that tend to be incredibly expensive and outside the budget range of smaller organizations. If a smaller organization wants to ensure protection against malware that does not require additional expensive network devices, it needs to look for alternative solutions. One area that is proving to be effective in modern network infrastructures with virtually no performance degradation is DNS blackholing. 

Understanding DNS Blackholing 

DNS blackholing is not a new idea, but it is one that has been adapted to more uses in recent times, making it beneficial for networks of all sizes. Cybersecurity professors should include this capability in their classrooms to show the power of blocking content using devices external to the network that are already part of the normal internet communication requirements. Students are already taught how DNS works in core computer science courses. The DNS server resolves fully qualified domain names to IP addresses and vice versa. When a user inputs a website in a browser, their computer first contacts a DNS server to determine the IP address of the web server, and then the computer subsequently initiates a connection to the supplied IP address. DNS servers also store the IP addresses of email servers and other public-facing devices communicating on the Internet. The beauty of DNS blackholing is that a change on the DNS server can effectively block connections for everyone who uses that DNS server. 

Blocking Undesirable Content at the DNS Level 

DNS blackholing is the deliberate process of preventing resolution to fully qualified domain names that have been identified as having categories of information that are harmful or undesirable. This typically includes domains known for or actively distributing malicious content, adult content, or similar activities. The domains are not removed from the DNS server records, but rather, the records are configured to return non-routable responses instead of a legitimate IP address. This causes client traffic destined for a disallowed site to be stopped before a connection can ever be initiated. Considering the large number of malicious and adult internet sites, professors can highlight this methodology to their students as a valuable and effective way to keep certain types of traffic off a network without utilizing any additional processing power of network devices. It is not a perfect solution, no solution is, but it can stop close to 90% of unwanted traffic without any additional hits on network performance. 

Limitations and Workarounds 

Students should be informed of workarounds available to bypass DNS blackholing, as well as the additional shortfall of not being effective against newly registered domains that have not been categorized. Users who desire to circumvent DNS black holing can use IP addresses to make direct connections to servers without the need for DNS resolution. This is partially effective for a user, but it is a cumbersome practice because, even after accessing a web server, every link on that server may need to be manually entered with the IP address to continue by passing the DNS server. Most users do not take the time to keep a list of IP addresses for these types of sites, so it would likely be a very small percentage of internal risk. The issue of newly registered domains with undesirable content is also a concern, but only if users are also aware of these new domains. This is usually a short-lived problem as the timeline to categorize these newer domains has been shortened to minutes in some cases, and often no more than just a few days. For home users, DNS blackholing is one of the easiest ways to block large swaths of traffic with just one configuration change. 

Cybersecurity professors should train their students in this protection methodology, so they have another tool in their fight to maintain vigilance against nefarious online activity. Plausibly, one of the best impacts of DNS blackholing is that it can block outbound phishing links when a user clicks on a malicious link in an email. The DNS server can prevent the connection from happening before any damage is done. Any layer of security we can use that blocks nefarious activity without adding devices or increased computing power to our network is a method we should always consider. 

Stay Connected

Categories

Clear

Search Blogs

Featured Posts

Why DNS Blackholing Belongs in the Cybersecurity Classroom

by  Dr. Gene Lloyd     Mar 27, 2026
dns-blachole

Keeping a network secure in an ever-changing Internet landscape is a difficult task for anyone working in the cybersecurity arena. The constant changes in technology and defensive strategies require experts to remain vigilant in their efforts to protect networks and systems under their charge. This is equally important and challenging for higher education professors who need to educate their students on a wide range of available methodologies because there are many different levels of cybersecurity positions in the workforce. Every student will not graduate with job offers from large corporations managing security for tens of thousands of devices. Some will invariably end up in small companies where security needs will be greatly pared back in comparison to larger organizations. This necessitates professors to teach a variety of methods to secure networks in different environments. 

When Traditional Security Measures Become Overkill 

It can be said that every network does not need every available security device. It is overkill in many situations because configuring firewalls, intrusion detection systems, demilitarized zones, and the myriad other options could actually clutter the network and create more work for devices and employees. Cybersecurity professors often promote the idea of utilizing firewalls to block nefarious traffic, as well they should, and some, including myself, have also pushed the narrative of whitelisting (seen in one of my earlier articles) to limit internet access to a handful of trusted locations. We also have methods that propose blocking all the IP addresses of specific nations where a large amount of malware and hacking activity has historically originated. All of these are great ideas that should continue to be taught to students. They need to understand the many different capabilities available so they can choose the best one in different scenarios. 

The Limits of Firewall-Based Blocking 

The challenge with using the firewall for blocking large amounts of IP addresses is that the firewall must work overtime to inspect every packet and compare it against the block list. This is what firewalls are designed to do, and it is not typically a problem if the right equipment is available. A block list of 100 IPs is easily managed by even the smallest firewalls, but bump that list up to 5,000 or more ranges to block a complete country, and the smaller firewalls will begin to slow down the network. This level of blocking requires powerful firewalls that tend to be incredibly expensive and outside the budget range of smaller organizations. If a smaller organization wants to ensure protection against malware that does not require additional expensive network devices, it needs to look for alternative solutions. One area that is proving to be effective in modern network infrastructures with virtually no performance degradation is DNS blackholing. 

Understanding DNS Blackholing 

DNS blackholing is not a new idea, but it is one that has been adapted to more uses in recent times, making it beneficial for networks of all sizes. Cybersecurity professors should include this capability in their classrooms to show the power of blocking content using devices external to the network that are already part of the normal internet communication requirements. Students are already taught how DNS works in core computer science courses. The DNS server resolves fully qualified domain names to IP addresses and vice versa. When a user inputs a website in a browser, their computer first contacts a DNS server to determine the IP address of the web server, and then the computer subsequently initiates a connection to the supplied IP address. DNS servers also store the IP addresses of email servers and other public-facing devices communicating on the Internet. The beauty of DNS blackholing is that a change on the DNS server can effectively block connections for everyone who uses that DNS server. 

Blocking Undesirable Content at the DNS Level 

DNS blackholing is the deliberate process of preventing resolution to fully qualified domain names that have been identified as having categories of information that are harmful or undesirable. This typically includes domains known for or actively distributing malicious content, adult content, or similar activities. The domains are not removed from the DNS server records, but rather, the records are configured to return non-routable responses instead of a legitimate IP address. This causes client traffic destined for a disallowed site to be stopped before a connection can ever be initiated. Considering the large number of malicious and adult internet sites, professors can highlight this methodology to their students as a valuable and effective way to keep certain types of traffic off a network without utilizing any additional processing power of network devices. It is not a perfect solution, no solution is, but it can stop close to 90% of unwanted traffic without any additional hits on network performance. 

Limitations and Workarounds 

Students should be informed of workarounds available to bypass DNS blackholing, as well as the additional shortfall of not being effective against newly registered domains that have not been categorized. Users who desire to circumvent DNS black holing can use IP addresses to make direct connections to servers without the need for DNS resolution. This is partially effective for a user, but it is a cumbersome practice because, even after accessing a web server, every link on that server may need to be manually entered with the IP address to continue by passing the DNS server. Most users do not take the time to keep a list of IP addresses for these types of sites, so it would likely be a very small percentage of internal risk. The issue of newly registered domains with undesirable content is also a concern, but only if users are also aware of these new domains. This is usually a short-lived problem as the timeline to categorize these newer domains has been shortened to minutes in some cases, and often no more than just a few days. For home users, DNS blackholing is one of the easiest ways to block large swaths of traffic with just one configuration change. 

Cybersecurity professors should train their students in this protection methodology, so they have another tool in their fight to maintain vigilance against nefarious online activity. Plausibly, one of the best impacts of DNS blackholing is that it can block outbound phishing links when a user clicks on a malicious link in an email. The DNS server can prevent the connection from happening before any damage is done. Any layer of security we can use that blocks nefarious activity without adding devices or increased computing power to our network is a method we should always consider. 

Tags

Clear