dns firewall with rpz bdcert - first - improving security ... · what dns firewall can block using...
TRANSCRIPT
![Page 1: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/1.jpg)
DNS Firewall with Response Policy ZoneSuman Kumar [email protected] IT [email protected]
![Page 2: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/2.jpg)
DNS Response Policy Zone(RPZ) as Firewall● RPZ allows a recursive server to control the
behavior of responses to queries.● Administrator to overlay custom information on
top of the global DNS to provide alternate responses to queries.
● RPZ data is supplied as a DNS zone, and can be loaded from a file or retrieved over the network by AXFR/IXFR.
● It works like firewall on cloud.● DNS RPZ will block DNS resolution, machines
connecting to the C&C via IP address will not be blocked.
![Page 3: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/3.jpg)
DNS Response Policy Zone(RPZ)● Reputation data is packaged into Response Policy Zones
(RPZs) ● RPZ’s update frequently via IXFR/AXFR ● RPZ include both the filter criteria, and a response policy
action ● BIND evaluates whether its response matches a filter in
the RPZ and applies the policy specified ● RFC: https://tools.ietf.org/html/draft-ietf-dnsop-dns-rpz-00
![Page 4: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/4.jpg)
Why We Need DNS RPZ?
![Page 5: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/5.jpg)
Ways of Content Filtering
• Router ACLs • Web proxy filter • Content-aware firewall • DNS RPZ
![Page 6: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/6.jpg)
Core DNS Principles
Master/Primary DNS
Slave/SecondaryDNS
CachingResolverDNS
.org
bdnog.org
www.bdnog.orgAXFR
TSIG
IXFR
TSIG
AXFR - Full Zone TransfersIXFR - Incremental Zone TransfersTSIG - Transaction SIGnatureused to secure the AXFR/IXFR
What is the IP forwww.bdnog.org?
Who is in charge ofwww.bdnog.org?
www.bdnog.org is 202.4.96.213
.root
![Page 7: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/7.jpg)
CachingResolverDNS
.org
bdnog.org
www.bdnog.org
.rootDNS RPZ
Master DNSRPZ
AXFR
IXFR
What is the IP forwww.bdnog.org?
Who is in charge of bdnog.org?
www.bdnog.org is 202.4.96.213RPZ
RPZ capability on theDNS Cashing Resolverallows zone transfers tobe pushed out in seconds.
Security Company
![Page 8: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/8.jpg)
DNS RPZ in Action
Master DNSRPZ
RPZCachingResolverDNS
AXFR
IXFR
What is the IP forbadguys.com?
badguys.comTo find thebad guysSecurity Company
What is the IP forbadguys.com?
SPAMComputerlooks up
Xyzbadness.com
![Page 9: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/9.jpg)
How is DNSRPZ Different?
Master DNSRPZ
RPZCachingResolver
DNS
AXFR
IXFR
Security Company
DNSRBL
Some RBL User
Update zone files
Query Every time
![Page 10: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/10.jpg)
How is DNSRPZ Different?• DNSRPZ allows for
multiple providers –building a richer list of“bad domains”
• Allows for industryincident feeds.
• Allows for local incidentmanagement feeds.
RPZ feed 2
RPZCachingResolver
DNS
RPZ feed 1
AXFR
IXFR
OPSECIncident
INFOSEC orSecurityTeam
![Page 11: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/11.jpg)
What DNS Firewall Can block Using RPZ• Phishing : When a user clicks on a link in an email, for example from a fake
banking site, you can intercept the lookup of that site.
• Malware: When a user attempts to navigate to a domain name known to host malware, you can redirect them to a site of your own with instructions on scanning their computer.
• Ransomware: Ransomware, is a type of malware in which someone takes over assets on your network and blocks access to them until you pay a ransom. This is a rapidly growing threat.
• Botnet Command and Control sites :When devices inside your network attempt to contact suspected botnet command central, drop the queries, and log them for analysis and followup.
• Identify Infected Machines: By analyzing the query logs, you can track down the machines in your network that are attempting to contact these abuse sites, and clean up any infections or botnet code.
![Page 12: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/12.jpg)
Components of the Criminal Cloud
Drive-By SecondaryMalware
Controller Proxy
BOTHerder
Malware
NameServers
SPAMBOTNET
PaymentProcessors
MuleOperations
�Avalanche: SPAM Cloud that youcan lease time
�Zeus: Build your Own CriminalCloud.
�BlackHole: Metasploit Cloud youcan lease
Victim of Crime TLDDomain
Packer
![Page 13: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/13.jpg)
Stage Domain Name
Drive-By SecondaryMalware
Controller Proxy
BOTHerder
Malware
GetDomain
Stage on NS
NameServers
SPAMBOTNET
Stage Domain
Victim of Crime TLDDomain
Packer
![Page 14: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/14.jpg)
Prepare Drive-By
Drive-By SecondaryMalware
SPAMBOTNET Controller Proxy
Hacker
Malware
Victim of Crime TLDDomain
NameServers
SendMalware
LoadMalware
Packer
![Page 15: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/15.jpg)
Social Engineered SPAM to Get People to Click
SecondaryMalware
Controller Proxy
Hacker
Malware
Victim of Crime TLDDomain
NameServers
(Spear Phishing)
SendSPAM
Drive-BySPAMBOTNET
Click onme now
Packer
![Page 16: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/16.jpg)
SPAMBOTNET
Drive-By Violation
Drive-By SecondaryMalware
Controller Proxy
Hacker
Malware
Victim of Crime TLDDomain
NameServers
Click onme now
Packer
![Page 17: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/17.jpg)
SPAMBOTNET
Drive-By Violation
Drive-By SecondaryMalware
Controller Proxy
Hacker
Malware
Victim of Crime TLDDomain
NameServers
Owned!
Packer
![Page 18: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/18.jpg)
Poison Anti-Virus Updates
Drive-By SecondaryMalware
SPAMBOTNET Controller Proxy
Hacker
Malware
Victim of Crime
Anti-VirusVendor
Poison theanti-virus updatesAll updates to 127.0.0.1
TLDDomain
NameServers
Packer
![Page 19: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/19.jpg)
Prepare Violated Computer
Drive-By SecondaryMalware
SPAMBOTNET Controller Proxy
Hacker
Malware
Victim of Crime
Anti-VirusVendor
Call to secondaryMalware siteLoad secondarypackage
TLDDomain
NameServers
Packer
![Page 20: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/20.jpg)
Call Home
Drive-By SecondaryMalware
SPAMBOTNET Controller Proxy
Hacker
Malware
Victim of Crime
Call to ControllerReport:§Operating System§Anti-Virus§Location on the Net§Software§Patch Level§Bandwidth§Capacity of the computer
TLDDomain
NameServers
Packer
![Page 21: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/21.jpg)
Load Custom Malware
Drive-By SecondaryMalware
Controller Proxy
Packer
Malware
Victim of Crime
Go get NewModule
Hacker
TLDDomain
NameServers
SPAMBOTNET
![Page 22: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/22.jpg)
Start Worming, Scanning, & Spreading
Drive-By SecondaryMalware
Controller Proxy
BOTNETHerder
Packer
Malware
Victims of Crime
TLDDomain
NameServers
SPAMBOTNET
IPv6IPv6
![Page 23: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/23.jpg)
We cansee thisguy’sDNS
Activity!
The Domain names were Black Listed!
Drive-By SecondaryMalware
Controller Proxy
Packer
Malware
Victim of Crime
We know the SPAMaddresses
We knew theinfrastructureaddresses!
We knew thecontrolleraddresses!
We knewthe backend
systems!
We needed to stop thiscomputer from doing all theDNS lookups to bad domains!
BOTHerder
TLDDomain
NameServers
We knew the NSused for the
criminal activity!
SPAMBOTNET
![Page 24: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/24.jpg)
DNS RPZ would have stopped this attack!
Drive-By SecondaryMalware
SPAMBOTNET Controller Proxy
Hacker
Packer
Malware
Victim of Crime TLDDomain
NameServers
SendSPAM
Blacklistedwith
DNSRPZ
NOCAlert!
![Page 25: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/25.jpg)
Possible Uses Examples• Enterprise networks can us it to stopinfections – and let NOC know somethingis wrong.• Hosting Provider can use it to blockinfected customer host – and let NOCknow something is wrong.• Service Providers – can use it to protectcustomers AND notify customer AND letthe help desk know customers might beinfected.
![Page 26: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/26.jpg)
RPZ supported DNS Applications
RPZ is native in several of the industry’s leading DNS platforms, including:
● BIND V9.9 (or greater)● Power DNS
Numerous appliance vendors have enabled RPZ as well, including:
● Infoblox● Efficient IP● BlueCat
![Page 27: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/27.jpg)
RPZ Rule
Let’s say we want to rewrite any DNS queries for a specific hostname, but allow lookups to the domain and other hosts in that domain:host.filter.com IN CNAME .
This result in an NXDOMAIN (Non existence) response for a query for “host.filter.com”
![Page 28: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/28.jpg)
Response Policy TriggersThe rules in a Response Policy Zone consist of triggers or filters that identify what responses to modify, and policy actions to apply to these responses. Each rule can use one of five policy triggers and specify one of eight policy actions.
● by the query name. [QNAME]● by an address which would be present in a truthful
response. [RPZ-IP]● by the name or address of an authoritative name server
responsible for publishing the original response. [RPZ-NSDNAME and RPZ-NSIP]
● by the IP address of the DNS client [RPZ-CLIENT-IP]
![Page 29: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/29.jpg)
Response Policy Actions● to synthesize a “domain does not exist” response. [NXDOMAIN]● to synthesize a “name exists but there are no records of the
requested type” response. [NODATA]● to redirect the user via a CNAME to a walled garden [CNAME
example.org● to replace the response with specified data. [Local Data]● to require the client to re-submit the query via TCP [CNAME rpz-tcp-
only]● to exempt the response from further policy processing. [DISABLED,
CNAME rpz-passthru]● to drop the query, without any response to the client [CNAME rpz-
drop]
![Page 30: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/30.jpg)
RPZ Logging
Since we’re running RPZ, we definitely want to log any RPZ rewrites. To do that, we need to set up two things under the “logging” header.
channel rpzlog {file "rpz.log" versions unlimited size 1000m; print-time yes;print-category yes; print-severity yes; severity info; }; category rpz { rpzlog; };
![Page 31: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/31.jpg)
CONFIGURE A SLAVE RPZ ZONE
zone "drop.rpz.spamhaus.org" { type slave; file "dbx.drop.rpz.spamhaus.org"; masters { X.X.X.X; X.X.X.X; }; allow-transfer { none; }; allow-query { localhost; }; };
![Page 32: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/32.jpg)
Configuring Response Policy Zones
Bind currently has a 32 zone limit.RPZ zones are specified in the response-policy section: response-policy {zone "rpz-local"; zone "tor-exit-nodes.local";zone "bogon.rpz.spamhaus.org";zone "botnetcc.rpz.spamhaus.org";zone "malware.rpz.spamhaus.org";zone "malware-adware.rpz.spamhaus.org"; zone "malware-aggressive.rpz.spamhaus.org"; zone "bad-nameservers.rpz.spamhaus.org";zone "drop.rpz.spamhaus.org";};
![Page 33: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/33.jpg)
Before Implementation
● At first implement on logging mode for at least for a week● Use TSIG to transfer the RPZ zone● Restricted RPZ recursive server to use from all● Restricted users from using other name servers
![Page 34: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/34.jpg)
RPZ Feed Providers
● Spamhaus/Deteque/SecurityZone● Farsight security ● SURBL● SWITCH ● Threat Stop
![Page 35: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/35.jpg)
Implementation Case Study in an ISP in BD
● Using RPZ feed from SecurityZone with Bind (http://www.securityzones.net/images/downloads/BIND_RPZ_Installation_Guide.pdf )
● Redirected all DNS recursive request to RPZ name server● Provided service for 390 devices using recursive DNS● Name server hits 23000000 in a month.● Domain blocked 55435● Number of infected device detected 32 ● Simple and easy approach to implement
![Page 36: DNS Firewall with RPZ bdcert - FIRST - Improving Security ... · What DNS Firewall Can block Using RPZ •Phishing : When a user clicks on a link in an email, for example from a fake](https://reader034.vdocuments.net/reader034/viewer/2022050715/5f2f408dddf1de2d810e8eae/html5/thumbnails/36.jpg)