Although DNS firewalls are not a magic bullet that will stop all APTs, it will block many of the initial infections by blocking the initial dropper and the download of the full APT. It will also identify (if not block) subsequent attempts to call home. Should that effort fail because the collusive server infrastructure is not known, the DNS firewall will subsequently identify infected computers by their attempts to call home for instructions. While this step does not stop the infection directly, it allows for a timely response that ensures the threat is no longer "persistent," even if it is advanced. Finally the geographic blocking abilities mean that the DNS firewall will impede and alert any ensuing data exfiltration stages that might begin to be executed.
Sign up for CIO Asia eNewsletters.