Our blog

Ask a question, get an answer, How insecure can that be? Part three


04 January 2017

Tim Rooney

Blogs by author: Tim Rooney, Diamond IP Product Management Director, BT.


In the last of his series on security and DNS, Tim Rooney takes a look at the tools you need to stay truly secure.

A quick refresh of the series so far.

In part one of this blog series I provided a basic introduction to the domain name system (DNS) and some of its security vulnerabilities (under normal operation). In part two I discussed mitigation steps you may employ to reduce the risk of each of these vulnerabilities. Here, in the final instalment of the series, I’ll discuss a rapidly growing threat to networks everywhere.

Multiplying threats from malware.

By all measures, ransomware and malware-based threats continue to increase, with McAfee Labs and Intel Security reporting five new threats every second.

Malware can install itself on a user device via a variety of techniques, including:

  • luring users to download and install a seemingly innocuous application
  • installing a bundled application attached to a seemingly innocuous application
  • through self-installing worms, creeping over from other network-proximate devices.

Persistent threats.

Malware takes many forms and has many functions, depending on the objectives of the attacker. Advanced Persistent Threats (APTs) are special forms of malware, distinguished by their organised, stealthy forms of network intrusion — where an attacker gains access within a target network to steal data, disrupt communications, or otherwise infiltrate network components. APTs are persistent in that the intent is to retain access to the network for a lengthy time frame, if not indefinitely, so they require continual evasion techniques to avoid detection.

Once within the network, the attacker’s malware typically attempts to communicate to a ‘command and control’ (C&C) centre, from which the attacker can instigate attacks, update malware code, or collect information. Many times, this ‘phoning home’ process involves DNS queries to identify the current IP address of the C&C centre. Use of DNS lets the attacker change IP addresses quickly to avoid detection or defensive IP-address-based firewall policies. In addition, C&C centre domain names can be algorithmically generated to support a moving target on the query name as well.

Firewalls are one solution.

The ability to detect and prevent resolution of known C&C domains is a key function of a DNS firewall. When you think of an Internet firewall, you likely think of a gateway device which examines IP packets flowing through it and which selectively blocks or redirects those packets depending on certain criteria. Such criteria may include filtering parameters such as IP addresses or ports so that when an IP packet under inspection matches the parameter settings, the packet is blocked or otherwise handled. A DNS firewall performs similar examination and policy handling functions for DNS queries to prevent unwelcome DNS and subsequent data traffic.

Perimeters are changing.

Another common assumption associated with Internet firewalls is that they are deployed on the perimeter of a network with the intention of protecting the network from external attacks. DNS firewalls, however, protect the network against attacks that originate within the network. Why worry about internal attacks if morale is sky-high and IP firewalls are seemingly impervious? With the proliferation of smart phones and ‘bring your own device’ (BYOD) initiatives, it’s quite possible that devices physically leaving the domain of a perfectly firewalled network may become infected with malware when operated on less secure networks such as at the coffee shop wi-fi, or at home.

Blocking botnets.

Certain forms of malware infiltrate a device as a remote agent or ‘bot’ which, along with several other similarly infected devices, form a ‘botnet’, where a cyber criminal can command several bots to perform attacks such as distributed denial of service attacks. A bot on an infected device will typically attempt to contact the attacker’s command and control (C&C) centre to receive its marching orders, and the means of contacting the C&C starts with a DNS lookup. The primary goal of a DNS firewall is to identify such C&C contact attempts, to block such attempts and to identify the infected device.

DNS firewalls can keep you secure.

The leading DNS server reference implementation, BIND, from the Internet Systems Consortium (ISC), supports the establishment of DNS firewall policies via its response policy zones (RPZ) feature. RPZ enables a DNS administrator to define policies in standard DNS resource record format to enable filtering of DNS queries.

Filtering triggers can be defined based on the queried name (QNAME), resolved IP address (IP address within A or AAAA query response), resolving name server IP (NSIP) as resolved within a response to the A or AAAA query for an NS RRSet, and resolving name server name (NSDNAME) as resolved within an NS RRSet. Thus, throughout the resolution process for a particular query, the recursive DNS server can filter at multiple points along the way, then enact the corresponding policy action. Such action can be defined as responding with NXDOMAIN, NODATA, pass through, or inclusion of predefined response data, such as directing the session to a walled garden.

What makes DNS firewalls work?

The beauty of this technique is in defining policies as resource records within a response policy zone or zones. This lets DNS administrators create their own policies and/or subscribe to a provider or providers of malicious domain (filtering) information — which can simply utilise zone transfers to communicate such domain information to the corresponding recursive DNS servers. Updates of this zone information should, of course, be secured via the use of standard BIND ACLs, as well as transaction signatures (TSIG) to sign incremental or full zone updates.

BT’s IP address management products support configuration of DNS firewall functions via its web user interface for our Sapphire appliances as well as stock ISC BIND servers you may already operate. We enable you to choose your providers of bad domain information which can be easily configured with our systems and you are free to implement your own policies as well. Please comment or contact us to learn more.

To find out more about DNS firewalls, take a look at BT’s dedicated website.