SlideShare a Scribd company logo
1 of 21
Download to read offline
1 | © 2013 Infoblox Inc. All Rights Reserved.1 | © 2013 Infoblox Inc. All Rights Reserved.
Turning DNS from Security Target to Security
Tool
Cricket Liu | Chief DNS Architect
March 27, 2018
2 | © 2013 Infoblox Inc. All Rights Reserved.2 | © 2013 Infoblox Inc. All Rights Reserved.
DNS is Complicit in All Kinds of Malicious
Activity
3 | © 2013 Infoblox Inc. All Rights Reserved.3 | © 2013 Infoblox Inc. All Rights Reserved.
91.30%
8.70%
Uses DNS
Who knows? Host tables?
Most Malware Uses DNS in Attacks
4 | © 2013 Infoblox Inc. All Rights Reserved.4 | © 2013 Infoblox Inc. All Rights Reserved.
You betcha
32%
Would prefer not to
know
68%
You betcha
Would prefer not to know
Most Organizations Don’t Monitor DNS
5 | © 2013 Infoblox Inc. All Rights Reserved.5 | © 2013 Infoblox Inc. All Rights Reserved.
How DNS Is (Ab)Used
• Bad guys register brand-new domain name
̶ With no negative reputation
• Bad guys mount phishing campaign, luring the
unsuspecting to a web site using the new domain name
̶ Visitors are infected through a variety of means
5
6 | © 2013 Infoblox Inc. All Rights Reserved.6 | © 2013 Infoblox Inc. All Rights Reserved.
How DNS Is (Ab)Used: Finding a C&C Server
• Malware wakes on the corporate network, inside the firewall
• The malware wants to communicate with a command-and-
control (C&C) server
• It rendezvous with a C&C server by looking up
̶ A compiled-in list of domain names
̶ Domain names generated by a Domain Generation Algorithm (DGA)
• …until it gets an answer
6
7 | © 2013 Infoblox Inc. All Rights Reserved.7 | © 2013 Infoblox Inc. All Rights Reserved.
How DNS Is (Ab)Used: Tunneling
• But most corporate networks no longer permit direct
communication from arbitrary internal hosts to the Internet
̶ Many require that common protocols (e.g., HTTP, HTTP-S) run
through proxies
• So many species of malware fall back to using DNS to
tunnel communication to and from C&C servers
7
8 | © 2013 Infoblox Inc. All Rights Reserved.8 | © 2013 Infoblox Inc. All Rights Reserved.
Sidebar: DNS Tunneling
• Tunneling data surreptitiously into or out of a network
using
DNS as a vector
̶ This is often effective because
- DNS is generally allowed into and out of an organization (e.g., you can look
up Internet domain names from inside the network)
- DNS queries and responses are usually poorly monitored
̶ Can be used
- As a command and control channel for a botnet
- To download new code to existing malware
- To exfiltrate data from the internal network to a drop server
9 | © 2013 Infoblox Inc. All Rights Reserved.9 | © 2013 Infoblox Inc. All Rights Reserved.
DNS Tunneling Example: Infiltration
Recursive
name server
Infected
host
Forwarder
hacker.org
name server
D: [infected host] A: 0.[id].hacker.org TXT “0.[base-64-encoded data]”
0.[id].hacker.org TXT “1.[base-64-encoded data]”
…
S: [infected host] Q: 0.[id].hacker.org/TXT ?
10 | © 2013 Infoblox Inc. All Rights Reserved.10 | © 2013 Infoblox Inc. All Rights Reserved.
DNS Tunneling Example: Exfiltration
Recursive
name server
Infected
host
Forwarder
hacker.org
name server
D: [infected host] A: NXDOMAIN
S: [infected host] Q: 0.[base-32-encoded data].[id].hacker.org/A ?
D: [infected host] A: NXDOMAIN
S: [infected host] Q: 1.[base-32-encoded data].[id].hacker.org/A ?
11 | © 2013 Infoblox Inc. All Rights Reserved.11 | © 2013 Infoblox Inc. All Rights Reserved.
Enough!
• Through all of the abuse, DNS servers have been blindly
complicit
• DNS security has traditionally concentrated on
̶ Securing DNS transactions (queries, updates, zone transfers)
̶ Protecting the authenticity and integrity of zone data (e.g., DNSSEC)
• Finally, after nearly three decades of this, we’d had enough
11
12 | © 2013 Infoblox Inc. All Rights Reserved.12 | © 2013 Infoblox Inc. All Rights Reserved.
Enter Response Policy Zones
• In 2010, Paul Vixie writes “Taking Back the DNS,”
introducing Response Policy Zones, or RPZs
• RPZs reuse
̶ DNS zones as containers for resolution policy
̶ DNS records as a mechanism for expressing policy
• Policies can
̶ Trigger based on domain name in a query or an answer
̶ Trigger based on an IP address in an answer
̶ Return errors or static data in place of answers
12
13 | © 2013 Infoblox Inc. All Rights Reserved.13 | © 2013 Infoblox Inc. All Rights Reserved.
Actual Photograph of Paul Publishing His Blog
14 | © 2013 Infoblox Inc. All Rights Reserved.14 | © 2013 Infoblox Inc. All Rights Reserved.
RPZ “Feeds”
• Since RPZs are zones, you can distribute RPZ policies
quickly
and efficiently
̶ “Subscribers” configure their DNS servers as secondaries for RPZ
zones
- Transferring those zones from “publishers”
̶ Publishers can send NOTIFY messages when policies change
̶ Subscribers can request IXFRs to get just the changes
• Organizations traditionally in the DNS blocklist business
now make their reputational data available via RPZ because
it’s efficient and easy to consume
14
15 | © 2013 Infoblox Inc. All Rights Reserved.15 | © 2013 Infoblox Inc. All Rights Reserved.
How Response Policy Zones Work
Infected client
Local recursive
name server
Master name
server (run by
RPZ feed provider)
RPZ data via
zone transferQuery for
malicious domain
name
Error or
redirect
log
16 | © 2013 Infoblox Inc. All Rights Reserved.16 | © 2013 Infoblox Inc. All Rights Reserved.
Enter Passive DNS
• Invented by Florian Weimer in 2004
• Essentially ”DNS telemetry”
̶ A record of responses seen by recursive DNS servers and a
timestamp
- Referrals
- Answers
- Errors
16
17 | © 2013 Infoblox Inc. All Rights Reserved.17 | © 2013 Infoblox Inc. All Rights Reserved.
Passive DNS
Recursive name server
Root name servers com name servers
example.com
name servers
pDNS replication
Passive
DNS
database
18 | © 2013 Infoblox Inc. All Rights Reserved.18 | © 2013 Infoblox Inc. All Rights Reserved.
Passive DNS Databases
• Databases of collected passive DNS data are invaluable for
detecting malicious or suspicious activity
̶ Fast fluxing
̶ Domain Generation Algorithms
̶ DNS tunneling
̶ Cache poisoning
̶ Unauthorized access to cloud services
̶ …and much more
18
19 | © 2013 Infoblox Inc. All Rights Reserved.19 | © 2013 Infoblox Inc. All Rights Reserved.
Closing the Loop
Analytics
Cloud
Customer 1 Customer 2 … Customer 9000
RPZ
20 | © 2013 Infoblox Inc. All Rights Reserved.20 | © 2013 Infoblox Inc. All Rights Reserved.
Case Study: Farsight’s NOD Feed
• Farsight Security uses their passive DNS database to create
an
RPZ of domain names “newly observed” on the Internet
̶ Say less than 30 minutes old
• Turns out an enormous percentage of brand-new domain
names
are malicious
̶ Registered, used for malicious activity (e.g., a phishing campaign)
and then discarded
• Blocking access to them will thwart much badness
• And the opportunity cost is minimal
20
21 | © 2013 Infoblox Inc. All Rights Reserved.21 | © 2013 Infoblox Inc. All Rights Reserved.
How to Apply What You’ve Learned Today
• Check whether your DNS servers already supports
Response Policy Zones
̶ If not, consider making RPZ support a requirement when you
upgrade your DNS servers
• Determine whether one or more RPZs might be useful to
you
• Plumb these RPZs into your DNS servers and send RPZ logs
to
your SIEM
• Think about collecting your passive DNS data and mining it
21

More Related Content

What's hot

DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough? Zscaler
 
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemInfoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemJennifer Nichols
 
Infoblox Cloud Solutions - Cisco Mid-Atlantic User Group
Infoblox Cloud Solutions - Cisco Mid-Atlantic User GroupInfoblox Cloud Solutions - Cisco Mid-Atlantic User Group
Infoblox Cloud Solutions - Cisco Mid-Atlantic User GroupNetCraftsmen
 
Dns security overview
Dns security overviewDns security overview
Dns security overviewVladimir2003
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointLancope, Inc.
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchLancope, Inc.
 
Identifier Systems Security, Stability and Resiliency by Champika Wijayatunga
Identifier Systems Security, Stability and Resiliency by Champika WijayatungaIdentifier Systems Security, Stability and Resiliency by Champika Wijayatunga
Identifier Systems Security, Stability and Resiliency by Champika WijayatungaMyNOG
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesLancope, Inc.
 
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei.Analityka w służbie jej DN...PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei.Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...PROIDEA
 
Scaling service provider business with DDoS-mitigation-as-a-service
Scaling service provider business with DDoS-mitigation-as-a-serviceScaling service provider business with DDoS-mitigation-as-a-service
Scaling service provider business with DDoS-mitigation-as-a-serviceCloudflare
 
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PROIDEA
 
Radware Cloud Security Services
Radware Cloud Security ServicesRadware Cloud Security Services
Radware Cloud Security ServicesRadware
 
DDoS Mitigation - DefensePro - RADWARE
DDoS Mitigation - DefensePro - RADWAREDDoS Mitigation - DefensePro - RADWARE
DDoS Mitigation - DefensePro - RADWAREDeivid Toledo
 
The Art of Cyber War [From Black Hat Brazil 2014]
The Art of Cyber War [From Black Hat Brazil 2014]The Art of Cyber War [From Black Hat Brazil 2014]
The Art of Cyber War [From Black Hat Brazil 2014]Radware
 
DDoS - a Modern Day Opportunity for Service Providers
DDoS - a Modern Day Opportunity for Service ProvidersDDoS - a Modern Day Opportunity for Service Providers
DDoS - a Modern Day Opportunity for Service ProvidersCorero Network Security
 
DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16Radware
 
9 Steps For Fighting Against a DDos Attack in real-time
9 Steps For Fighting Against a DDos Attack in real-time 9 Steps For Fighting Against a DDos Attack in real-time
9 Steps For Fighting Against a DDos Attack in real-time Haltdos
 
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDCThe Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDCCloudflare
 

What's hot (20)

DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough?
 
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemInfoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
 
Infoblox Cloud Solutions - Cisco Mid-Atlantic User Group
Infoblox Cloud Solutions - Cisco Mid-Atlantic User GroupInfoblox Cloud Solutions - Cisco Mid-Atlantic User Group
Infoblox Cloud Solutions - Cisco Mid-Atlantic User Group
 
Dns security overview
Dns security overviewDns security overview
Dns security overview
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatchDetecting Threats: A Look at the Verizon DBIR and StealthWatch
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
 
Identifier Systems Security, Stability and Resiliency by Champika Wijayatunga
Identifier Systems Security, Stability and Resiliency by Champika WijayatungaIdentifier Systems Security, Stability and Resiliency by Champika Wijayatunga
Identifier Systems Security, Stability and Resiliency by Champika Wijayatunga
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly BreachesSave Your Network – Protecting Manufacturing Data from Deadly Breaches
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
 
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei.Analityka w służbie jej DN...PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei.Analityka w służbie jej DN...
PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei. Analityka w służbie jej DN...
 
Scaling service provider business with DDoS-mitigation-as-a-service
Scaling service provider business with DDoS-mitigation-as-a-serviceScaling service provider business with DDoS-mitigation-as-a-service
Scaling service provider business with DDoS-mitigation-as-a-service
 
Netpluz corp presentation 2020
Netpluz corp presentation 2020Netpluz corp presentation 2020
Netpluz corp presentation 2020
 
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
 
Radware Cloud Security Services
Radware Cloud Security ServicesRadware Cloud Security Services
Radware Cloud Security Services
 
DDoS Mitigation - DefensePro - RADWARE
DDoS Mitigation - DefensePro - RADWAREDDoS Mitigation - DefensePro - RADWARE
DDoS Mitigation - DefensePro - RADWARE
 
The Art of Cyber War [From Black Hat Brazil 2014]
The Art of Cyber War [From Black Hat Brazil 2014]The Art of Cyber War [From Black Hat Brazil 2014]
The Art of Cyber War [From Black Hat Brazil 2014]
 
DDoS - a Modern Day Opportunity for Service Providers
DDoS - a Modern Day Opportunity for Service ProvidersDDoS - a Modern Day Opportunity for Service Providers
DDoS - a Modern Day Opportunity for Service Providers
 
DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16
 
9 Steps For Fighting Against a DDos Attack in real-time
9 Steps For Fighting Against a DDos Attack in real-time 9 Steps For Fighting Against a DDos Attack in real-time
9 Steps For Fighting Against a DDos Attack in real-time
 
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDCThe Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
 

Similar to Infoblox - turning DNS from security target to security tool

DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSASrikrupa Srivatsan
 
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPROIDEA
 
Enhancing Your Security Infrastructure with Infoblox Threat Intelligence Webinar
Enhancing Your Security Infrastructure with Infoblox Threat Intelligence WebinarEnhancing Your Security Infrastructure with Infoblox Threat Intelligence Webinar
Enhancing Your Security Infrastructure with Infoblox Threat Intelligence WebinarAdelaide Hill
 
deftcon 2015 - Dave Piscitello - DNS Traffic Monitoring
deftcon 2015 - Dave Piscitello - DNS Traffic Monitoringdeftcon 2015 - Dave Piscitello - DNS Traffic Monitoring
deftcon 2015 - Dave Piscitello - DNS Traffic MonitoringDeft Association
 
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersHITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersJohn Bambenek
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)Fatima Qayyum
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
 
THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesJohn Bambenek
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsEmulex Corporation
 
Types of Attack in Information and Network Security
Types of Attack in Information and Network SecurityTypes of Attack in Information and Network Security
Types of Attack in Information and Network Securitypadmeshagrekar
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorPositive Hack Days
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPROIDEA
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliMarta Pacyga
 
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
Dafgjgghhghfhjgghjhgy06-Footprinting.pptxDafgjgghhghfhjgghjhgy06-Footprinting.pptx
Dafgjgghhghfhjgghjhgy06-Footprinting.pptxAlfredObia1
 
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPMake Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPAPNIC
 
DNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionDNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionImperva Incapsula
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewMarketingArrowECS_CZ
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalImperva
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtubeDhruv Sharma
 

Similar to Infoblox - turning DNS from security target to security tool (20)

DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSA
 
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS Protection
 
Enhancing Your Security Infrastructure with Infoblox Threat Intelligence Webinar
Enhancing Your Security Infrastructure with Infoblox Threat Intelligence WebinarEnhancing Your Security Infrastructure with Infoblox Threat Intelligence Webinar
Enhancing Your Security Infrastructure with Infoblox Threat Intelligence Webinar
 
deftcon 2015 - Dave Piscitello - DNS Traffic Monitoring
deftcon 2015 - Dave Piscitello - DNS Traffic Monitoringdeftcon 2015 - Dave Piscitello - DNS Traffic Monitoring
deftcon 2015 - Dave Piscitello - DNS Traffic Monitoring
 
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersHITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
 
DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)DNS spoofing/poisoning Attack Report (Word Document)
DNS spoofing/poisoning Attack Report (Word Document)
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
 
THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS Queries
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber ThreatsUsing NetFlow to Streamline Security Analysis and Response to Cyber Threats
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
 
Types of Attack in Information and Network Security
Types of Attack in Information and Network SecurityTypes of Attack in Information and Network Security
Types of Attack in Information and Network Security
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
 
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
Dafgjgghhghfhjgghjhgy06-Footprinting.pptxDafgjgghhghfhjgghjhgy06-Footprinting.pptx
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
 
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPMake Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
 
DNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionDNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS Protection
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider Overview
 
A Blueprint for Web Attack Survival
A Blueprint for Web Attack SurvivalA Blueprint for Web Attack Survival
A Blueprint for Web Attack Survival
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtube
 

More from Jisc

Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxJisc
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxJisc
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Jisc
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...Jisc
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptxJisc
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxJisc
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxJisc
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxJisc
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJisc
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxJisc
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber EssentialsJisc
 
MarkChilds.pptx
MarkChilds.pptxMarkChilds.pptx
MarkChilds.pptxJisc
 
RStrachanOct23.pptx
RStrachanOct23.pptxRStrachanOct23.pptx
RStrachanOct23.pptxJisc
 
ISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptxISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptxJisc
 
FerrellWalker.pptx
FerrellWalker.pptxFerrellWalker.pptx
FerrellWalker.pptxJisc
 
ExpertsknightOct23.pptx
ExpertsknightOct23.pptxExpertsknightOct23.pptx
ExpertsknightOct23.pptxJisc
 
BeyondBlended17Oct23.pptx
BeyondBlended17Oct23.pptxBeyondBlended17Oct23.pptx
BeyondBlended17Oct23.pptxJisc
 

More from Jisc (20)

Digital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptxDigital Storytelling Community Launch!.pptx
Digital Storytelling Community Launch!.pptx
 
Open Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptxOpen Access book publishing understanding your options (1).pptx
Open Access book publishing understanding your options (1).pptx
 
Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...Scottish Universities Press supporting authors with requirements for open acc...
Scottish Universities Press supporting authors with requirements for open acc...
 
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...How Bloomsbury is supporting authors with UKRI long-form open access requirem...
How Bloomsbury is supporting authors with UKRI long-form open access requirem...
 
Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023Jisc Northern Ireland Strategy Forum 2023
Jisc Northern Ireland Strategy Forum 2023
 
Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023Jisc Scotland Strategy Forum 2023
Jisc Scotland Strategy Forum 2023
 
Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023Jisc stakeholder strategic update 2023
Jisc stakeholder strategic update 2023
 
JISC Presentation.pptx
JISC Presentation.pptxJISC Presentation.pptx
JISC Presentation.pptx
 
Community-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptxCommunity-led Open Access Publishing webinar.pptx
Community-led Open Access Publishing webinar.pptx
 
The Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptx
 
Are we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptxAre we onboard yet University of Sussex.pptx
Are we onboard yet University of Sussex.pptx
 
JiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptx
 
UWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptxUWP OA Week Presentation (1).pptx
UWP OA Week Presentation (1).pptx
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
 
MarkChilds.pptx
MarkChilds.pptxMarkChilds.pptx
MarkChilds.pptx
 
RStrachanOct23.pptx
RStrachanOct23.pptxRStrachanOct23.pptx
RStrachanOct23.pptx
 
ISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptxISDX2 Oct 2023 .pptx
ISDX2 Oct 2023 .pptx
 
FerrellWalker.pptx
FerrellWalker.pptxFerrellWalker.pptx
FerrellWalker.pptx
 
ExpertsknightOct23.pptx
ExpertsknightOct23.pptxExpertsknightOct23.pptx
ExpertsknightOct23.pptx
 
BeyondBlended17Oct23.pptx
BeyondBlended17Oct23.pptxBeyondBlended17Oct23.pptx
BeyondBlended17Oct23.pptx
 

Recently uploaded

Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 

Recently uploaded (20)

20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 

Infoblox - turning DNS from security target to security tool

  • 1. 1 | © 2013 Infoblox Inc. All Rights Reserved.1 | © 2013 Infoblox Inc. All Rights Reserved. Turning DNS from Security Target to Security Tool Cricket Liu | Chief DNS Architect March 27, 2018
  • 2. 2 | © 2013 Infoblox Inc. All Rights Reserved.2 | © 2013 Infoblox Inc. All Rights Reserved. DNS is Complicit in All Kinds of Malicious Activity
  • 3. 3 | © 2013 Infoblox Inc. All Rights Reserved.3 | © 2013 Infoblox Inc. All Rights Reserved. 91.30% 8.70% Uses DNS Who knows? Host tables? Most Malware Uses DNS in Attacks
  • 4. 4 | © 2013 Infoblox Inc. All Rights Reserved.4 | © 2013 Infoblox Inc. All Rights Reserved. You betcha 32% Would prefer not to know 68% You betcha Would prefer not to know Most Organizations Don’t Monitor DNS
  • 5. 5 | © 2013 Infoblox Inc. All Rights Reserved.5 | © 2013 Infoblox Inc. All Rights Reserved. How DNS Is (Ab)Used • Bad guys register brand-new domain name ̶ With no negative reputation • Bad guys mount phishing campaign, luring the unsuspecting to a web site using the new domain name ̶ Visitors are infected through a variety of means 5
  • 6. 6 | © 2013 Infoblox Inc. All Rights Reserved.6 | © 2013 Infoblox Inc. All Rights Reserved. How DNS Is (Ab)Used: Finding a C&C Server • Malware wakes on the corporate network, inside the firewall • The malware wants to communicate with a command-and- control (C&C) server • It rendezvous with a C&C server by looking up ̶ A compiled-in list of domain names ̶ Domain names generated by a Domain Generation Algorithm (DGA) • …until it gets an answer 6
  • 7. 7 | © 2013 Infoblox Inc. All Rights Reserved.7 | © 2013 Infoblox Inc. All Rights Reserved. How DNS Is (Ab)Used: Tunneling • But most corporate networks no longer permit direct communication from arbitrary internal hosts to the Internet ̶ Many require that common protocols (e.g., HTTP, HTTP-S) run through proxies • So many species of malware fall back to using DNS to tunnel communication to and from C&C servers 7
  • 8. 8 | © 2013 Infoblox Inc. All Rights Reserved.8 | © 2013 Infoblox Inc. All Rights Reserved. Sidebar: DNS Tunneling • Tunneling data surreptitiously into or out of a network using DNS as a vector ̶ This is often effective because - DNS is generally allowed into and out of an organization (e.g., you can look up Internet domain names from inside the network) - DNS queries and responses are usually poorly monitored ̶ Can be used - As a command and control channel for a botnet - To download new code to existing malware - To exfiltrate data from the internal network to a drop server
  • 9. 9 | © 2013 Infoblox Inc. All Rights Reserved.9 | © 2013 Infoblox Inc. All Rights Reserved. DNS Tunneling Example: Infiltration Recursive name server Infected host Forwarder hacker.org name server D: [infected host] A: 0.[id].hacker.org TXT “0.[base-64-encoded data]” 0.[id].hacker.org TXT “1.[base-64-encoded data]” … S: [infected host] Q: 0.[id].hacker.org/TXT ?
  • 10. 10 | © 2013 Infoblox Inc. All Rights Reserved.10 | © 2013 Infoblox Inc. All Rights Reserved. DNS Tunneling Example: Exfiltration Recursive name server Infected host Forwarder hacker.org name server D: [infected host] A: NXDOMAIN S: [infected host] Q: 0.[base-32-encoded data].[id].hacker.org/A ? D: [infected host] A: NXDOMAIN S: [infected host] Q: 1.[base-32-encoded data].[id].hacker.org/A ?
  • 11. 11 | © 2013 Infoblox Inc. All Rights Reserved.11 | © 2013 Infoblox Inc. All Rights Reserved. Enough! • Through all of the abuse, DNS servers have been blindly complicit • DNS security has traditionally concentrated on ̶ Securing DNS transactions (queries, updates, zone transfers) ̶ Protecting the authenticity and integrity of zone data (e.g., DNSSEC) • Finally, after nearly three decades of this, we’d had enough 11
  • 12. 12 | © 2013 Infoblox Inc. All Rights Reserved.12 | © 2013 Infoblox Inc. All Rights Reserved. Enter Response Policy Zones • In 2010, Paul Vixie writes “Taking Back the DNS,” introducing Response Policy Zones, or RPZs • RPZs reuse ̶ DNS zones as containers for resolution policy ̶ DNS records as a mechanism for expressing policy • Policies can ̶ Trigger based on domain name in a query or an answer ̶ Trigger based on an IP address in an answer ̶ Return errors or static data in place of answers 12
  • 13. 13 | © 2013 Infoblox Inc. All Rights Reserved.13 | © 2013 Infoblox Inc. All Rights Reserved. Actual Photograph of Paul Publishing His Blog
  • 14. 14 | © 2013 Infoblox Inc. All Rights Reserved.14 | © 2013 Infoblox Inc. All Rights Reserved. RPZ “Feeds” • Since RPZs are zones, you can distribute RPZ policies quickly and efficiently ̶ “Subscribers” configure their DNS servers as secondaries for RPZ zones - Transferring those zones from “publishers” ̶ Publishers can send NOTIFY messages when policies change ̶ Subscribers can request IXFRs to get just the changes • Organizations traditionally in the DNS blocklist business now make their reputational data available via RPZ because it’s efficient and easy to consume 14
  • 15. 15 | © 2013 Infoblox Inc. All Rights Reserved.15 | © 2013 Infoblox Inc. All Rights Reserved. How Response Policy Zones Work Infected client Local recursive name server Master name server (run by RPZ feed provider) RPZ data via zone transferQuery for malicious domain name Error or redirect log
  • 16. 16 | © 2013 Infoblox Inc. All Rights Reserved.16 | © 2013 Infoblox Inc. All Rights Reserved. Enter Passive DNS • Invented by Florian Weimer in 2004 • Essentially ”DNS telemetry” ̶ A record of responses seen by recursive DNS servers and a timestamp - Referrals - Answers - Errors 16
  • 17. 17 | © 2013 Infoblox Inc. All Rights Reserved.17 | © 2013 Infoblox Inc. All Rights Reserved. Passive DNS Recursive name server Root name servers com name servers example.com name servers pDNS replication Passive DNS database
  • 18. 18 | © 2013 Infoblox Inc. All Rights Reserved.18 | © 2013 Infoblox Inc. All Rights Reserved. Passive DNS Databases • Databases of collected passive DNS data are invaluable for detecting malicious or suspicious activity ̶ Fast fluxing ̶ Domain Generation Algorithms ̶ DNS tunneling ̶ Cache poisoning ̶ Unauthorized access to cloud services ̶ …and much more 18
  • 19. 19 | © 2013 Infoblox Inc. All Rights Reserved.19 | © 2013 Infoblox Inc. All Rights Reserved. Closing the Loop Analytics Cloud Customer 1 Customer 2 … Customer 9000 RPZ
  • 20. 20 | © 2013 Infoblox Inc. All Rights Reserved.20 | © 2013 Infoblox Inc. All Rights Reserved. Case Study: Farsight’s NOD Feed • Farsight Security uses their passive DNS database to create an RPZ of domain names “newly observed” on the Internet ̶ Say less than 30 minutes old • Turns out an enormous percentage of brand-new domain names are malicious ̶ Registered, used for malicious activity (e.g., a phishing campaign) and then discarded • Blocking access to them will thwart much badness • And the opportunity cost is minimal 20
  • 21. 21 | © 2013 Infoblox Inc. All Rights Reserved.21 | © 2013 Infoblox Inc. All Rights Reserved. How to Apply What You’ve Learned Today • Check whether your DNS servers already supports Response Policy Zones ̶ If not, consider making RPZ support a requirement when you upgrade your DNS servers • Determine whether one or more RPZs might be useful to you • Plumb these RPZs into your DNS servers and send RPZ logs to your SIEM • Think about collecting your passive DNS data and mining it 21

Editor's Notes

  1. Source: Cisco Security Research In this case, “uses” doesn’t necessarily mean “as a vector,” but rather than DNS resolution is integral to the attack, e.g., for resolving the name of a C&C server.
  2. Can also use NULL RRs and binary RDATA (lower overhead)
  3. If you’re not worried about (or can detect) Microsoft DNS Servers, you can use binary labels (more efficient)
  4. Convergence in sub-minutes, so nearly real-time