K‑20 offers an alternate pair of recursive DNS resolvers that filter queries and block known malicious domains. This can help protect your users and infrastructure from phishing, malware, ransomware, botnets, and other cyberattacks.
Usage
To use K‑20’s filtered DNS resolvers, simply configure your DNS cache server, hosts, or DHCP servers to use the following DNS servers:
| mdbr1.wa-k20.net | 68.179.203.90 |
| mdbr2.wa-k20.net | 68.179.203.91 |
Fail-open vs fail-closed configuration
You may wish to use a mix of these and other DNS servers—such as the unfiltered K-20 DNS resolvers or publicly available DNS resolvers—for best performance and reliability. Be aware that this creates a fail-open configuration: if the filtered servers are not available or your hosts use the other servers for any reason, blocking will be bypassed and malicious domains may be resolved.
If you want to be sure to never resolve known malicious domains, create a fail-closed or fail-safe configuration by using only the filtered DNS resolvers and no others.
Testing
To test whether filtered DNS protection is active, navigate to these pages:
- akamaietpcnctest.com (command & control)
- akamaietpphishingtest.com (phishing)
- akamaietpmalwaretest.com (malware)
If you are protected by filtered DNS, you will see a “Website Access Prohibited” message.
If not, you will see a page that identifies itself as “a demonstration website” and describes “Akamai Enterprise Threat Protector.”
Support
For help, questions, or to report a false positive, please email noc@wa-k20.net with “Filtered DNS” in the subject.
K-20 has limited ability to change blocking behavior. If K-20’s filtered DNS is not quite meeting your needs, please do contact the NOC and ask. But for the most part, this service is offered as-is, with the knowledge that it will not be the right solution for all K-20 members.
Information
K-20’s filtered DNS uses the Malicious Domain Blocking and Reporting (MDBR) service from MS‑ISAC, CISA, and Akamai. More information is available in their MDBR FAQ.
DNS queries will be sent to those providers and logged.
This service is offered as an optional layer of cybersecurity for K-20 members. It does not provide complete protection or regulatory compliance, and should not replace any other cybersecurity practices.
General cybersecurity information is available from the State Office of Cybersecurity and elsewhere.
See also
Please see DNS for information about K-20’s unfiltered resolvers and authoritative DNS servers.
K-20 Education Network 