SlideShare a Scribd company logo
1 of 48
All Rights Reserved © 2019
Suman Kumar Saha
AmberIT Limited
suman@amberit.com.bd
Allan Watanabe
PIPELINE Security
www.pipelinesecurity.net
Safe Internet for ‘ALL’
Started brainstorming to find a suitable way to provide
a secure internet to all of our users:
Considerations: Easy implementation without deploying
any hardware or without any change in CPE devices.
Possible ways:
• Router ACLs
• Web proxy filter
• Content-aware firewall
• DNS Response Policy Zone (RPZ)
DNS Response Policy Zone
● Over 91% percent malware uses DNS(As Cisco 2016
Annual Cyber security report)
● Nearly all the cryptominer stuffs uses DNS based C&C(As
Cisco 2016 Annual Cyber security report)
● RPZ allows a recursive server to control the behavior of
responses to queries.
● Administrator to overlay custom information on
top of the global DNS to provide alternate responses to
queries.
● RPZ data is supplied as a DNS zone, and can be
loaded from a file or retrieved over the network by AXFR/IXFR.
● It works like firewall on cloud.
● DNS RPZ will block DNS resolution, machines connecting to the
C&C via IP address will not be blocked.
DNS Response Policy Zone(RPZ)
● “DNS Firewall gives you the most bang for your buck” -Paul Vixie
● Reputation data is packaged into Response Policy Zones (RPZs)
● RPZ include both the filter criteria, and a response policy action
● BIND evaluates whether its response matches a filter in
the RPZ and applies the policy specified
● RFC: https://tools.ietf.org/html/draft-ietf-dnsop-dns-rpz-00
Core DNS Principles
Master/
Primary
DNS
Slave/
Secondary
DNS
Caching
Resolver
DNS
.org
bdnog.org
www.bdnog.org
AXFR
TSIG
IXFR
TSIG
AXFR - Full Zone Transfers
IXFR - Incremental Zone Transfers
TSIG - Transaction SIGnature
used to secure the AXFR/IXFR
What is the IP for
www.bdnog.org?
Who is in charge of
www.bdnog.org?
www.bdnog.org is 202.4.96.213
.root
.org
bdnog.o rg
.root
DNS RPZ
Master DNS
RPZ Feed
AXF
R
IXFR
What is the IP for
www.bdnog.org?
Who is in charge of bdnog.org?
www.bdnog.org
www.bdnog.org is 202.4.96.213
RPZ
Caching
Resolver
DNS
* RPZ capability on the
DNS Cashing Resolver
allows zone transfers to
be pushed out in seconds.
Security Company
DNS RPZ in Action
Master DNS
RPZ Feed
RPZ
Caching
Resolver
DNS
AXFR
IXFR
What is the IP for
badguys.com?
badguys.com
To find the
bad guysSecurity Company
What is the IP for
badguys.com?
SPAM
Computer
looks up
Xyzbadness
. com
How is DNS RPZ Different?
Master DNS
RPZ Feed
RPZ
Caching
Resolver
DNS
AXFR
IXFR
Security Company
DNS
RBL
Some RBL User
Update zone
files
Query Every
time
How is DNS RPZ Different?
• DNS RPZ allows for multiple feeds.
• Allows for industry incident feeds.
• Allows for local incident management
feeds.
Resolver DNS
RPZ Zone Files
RPZ Feed
Malware
RPZ Feed
C&C Hosts
OPSEC
InfoSec
Components of the Criminal Cloud
● Spam Botnet
● Command & Control
● Drive-by Domains
● Malware
● Secondary Malware
● Proxy
● Payment Processors
● Mule Operations
● Packer
● TLD Domain
● Name Servers
Mirai
Avalanche
Blackhole
Zeus
Cryptojackers
Passwords
Ransomware
Malware
Rootkit
Call home
Malicious Redirects
E-commerce / Payments
Security Updates
Legitimate Abused
antvirus.updates.com
Scanning, Worming, & Spreading
Bot Herder
Email
SMS
SNS
Vulnerable
Malicious
Infected
Devices
DNS
C&C Botnet
Step 1
Step 2
Step 3
We can see the bot
herders traffic.
Domains are known to be malicious!
& 	
/
DNS
DNS RPZ would have stopped this attack!
With RPZ you can detect, alert,
block, and protect users.
& 	
/
DNS
rpz NSDNAME NXDOMAIN rewrite ns1.apple.com
rpz QNAME NXDOMAIN rewrite botnet.com
rpz QNAME NXDOMAIN rewrite malciousdomain.com
Real Sample today
Possible Uses Examples
• Enterprise : Detect and stop malicious activities.
• ISP : Investigate infected customer hosts.
• SOC : Alert SOC team about malicious access
• OEM : Protect IoT devices
• ALL : Detect and sanitize your networks
RPZ supported DNS Applications
RPZ is native in several of the industry’s leading DNS platforms,
including:
● BIND V9.8 (or greater)
● Power DNS recursor
Numerous appliance vendors have enabled RPZ as well, including:
● Infoblox
● Efficient IP
● Bluecoat
and many more
RPZ Rule
Let’s we want to rewrite any DNS queries for a
specific hostname, but allow lookups to the domain
and other hosts in that domain:
host.filter.com IN CNAME .
This result in an NXDOMAIN (Non existence) response
for a query for “host.filter.com”
Response Policy Triggers
The rules in a Response Policy Zone consist of triggers or
filters that identify what responses to modify, and policy
actions to apply to these responses. Each rule can use one of
five policy triggers and specify one of eight policy actions.
QNAME RPZ-IP RPZ-NSDNAME
RPZ-CLIENT-IPRPZ-NSIP
Response Policy Actions
GIVEN
CNAME
TCP-ONLY
DROP
PASSTHROUGH
NXDOMAIN
DISABLED
NODATA
Is the default action and define no overrides
Name exists but there are no records of the requested
type
To redirect the user with a CNAME to a walled garden.
Forces the resolver to use TCP for the query.
Drop the query without any response to the client.
Exempt the response from further policy processing.
Domain does not exist.Most common policy used.
All Policy Actions for this zone are disabled but all items are logged
RPZ Logging
Since we’re running RPZ, we definitely want to log
any RPZ rewrites. To do that, we need to set up two
things under the “logging” header.
channel rpzlog {
file "rpz.log" versions unlimited size 1000m; print-time yes;
print-category yes;
print-severity yes;
severity info; };
category rpz { rpzlog;
};
Before Implementation
● At first implement on logging mode for at least for a
week
● Restricted RPZ recursive server to use within the
ACL
● Restricted users from using other recursive resolver
servers
● Redirected DNS traffic to DNA RPZ recursive
resolver (That’s important to bring users in safety
net)
RPZ Feed Providers
● Spamhaus
● Deteque
● PIPELINE Security
● Farsight security
● SURBL
● Threat Stop
DNS Firewall: Implementation Case Study in an ISP
● Implemented RPZ in Amber IT that is one of the Major ISP in Bangladesh.
● Using RPZ feed from Spamhaus Deteque through Pipeline Security ,Japan.
● Used with BIND 9.11.3 Extended Support Version(ESV).
● Also tested with Powerdns recursor.
● Redirected all DNS recursive request from PoP routers to DNS RPZ enabled
recursive name server to avoid adding new DNS server on every CPE.
● Added forwarder in current recursive DNS and forwarded all the recursive
request to RPZ enabled name server.
● Used as RPZ passthrough
Resources used for the implementation
And one System Admin to cook those things
One server for Bind LXD Container with Ubuntu 18.04
vCPU:8 cores,Memory : 8GB,Storage:100GB
Second server ELK stack for
data visualization.
LXD Container with Ubuntu 18.04
vCPU:4 cores,Memory : 4GB,Storage:100GB
RPZ zones Data feed from
RPZ feed provider
Any feed provider you can test free for one
month .We have used from
Spamhaus/deteque.
Simple Installation:Bind
Required time : Not more than 60 minutes
From Bind 9.8 Bind is compatible and comes with RPZ support.
For this case we have used ubuntu 18.04LTS.
Installed bind with apt and no special patches needed for RPZ.
Simple Installation:Adding RPZ zones
Following RPZ zones were added at the end of the /etc/bind/named.conf.options using the response-
policy.Bind currently has a 32 zone limit
response-policy {
zone "rpz.local";
### 11 Standard Feeds
zone "adware.host.dtq" policy passthru;
zone "badrep.host.dtq" policy passthru;
zone "bad-nameservers.ip.dtq" policy passthru ;
zone "bad-nameservers.host.dtq" policy passthru;
zone "bogons.ip.dtq";
zone "botnetcc.host.dtq";
zone "botnet.host.dtq" policy passthru;
zone "botnetcc.ip.dtq" policy passthru;
zone "dga.host.dtq" policy passthru;
zone "malware.host.dtq";
zone "phish.host.dtq" policy passthru;
### Edited Feeds
zone "adware.edit.host.dtq";
zone "badrep.edit.host.dtq";
zone "botnetcc.edit.host.dtq";
zone "botnet.edit.host.dtq";
zone "malware.edit.host.dtq";
zone "phish.edit.host.dtq";
### Premium Feeds
zone "zrd.host.dtq";
### Free Feeds
zone "drop.ips.dtq" policy passthru;
### Service Feeds
zone "coinblock.srv";
zone "torblock.srv" policy passthru;
};
Simple Installation:Get RPZ data from provider
RPZ zones will be downloaded from feed provided as a slave
zone.
zone "malware.edit.host.dtq" {
type slave;
file "dbx.malware.edit.host.dtq";
masters {199.168.xx.xx;199.168.xx.xx;199.168.xx.xx; };
allow-transfer { none; };
};
Simple Installation:RPZ Incident Log
Since we’re running RPZ, we definitely want to log any RPZ rewrites. To do
that, we need to set up two things under the “logging” header.
Add the RPZ log in /etc/bind/named.conf
logging {
channel null {
null; };
channel bindlog {
file "bind.log";
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
Bind Installation:Generating Log
channel rpzlog {
file "rpz.log" versions unlimited size 1000m; print-time yes;
print-category yes; print-severity yes;
severity info;};
category config { bindlog; };category xfer-in { bindlog; };category xfer-
out { bindlog; }; category network { bindlog; };category update {
bindlog; };category update-security { bindlog; }; category
delegation-only { bindlog; };
category rpz { rpzlog; };
};
RPZ Logs
RPZ log take logs the queries to RPZ zones.
● The threat source IP
● destination of the for threat
● Categorization of the threat
27-Feb-2019 03:21:15.920 rpz: info: client @0x7f87f4094f60
118.179.89.xxx#60543 (qpxrg.com): rpz QNAME NXDOMAIN rewrite
qpxrg.com via qpxrg.com.malware.host.dtq
Whitelisting
● rpz.local placed in top among the RPZ zones for custom
configuration in bind.
● On any false positive or on any issue we can whitelist a
domain or IP or client IP if require.
Some source/domains/IP whitelisted on user requirement :
32.xx.19x.179.118.rpz-ip IN CNAME rpz-passthru.
32.xx.19x.179.118.rpz-client-ip IN CNAME rpz-passthru.
32.xx.19x.179.118.rpz-nsip IN CNAME rpz-passthru.
binance.com CNAME rpz-passthru.
*.binance.com CNAME rpz-passthru.
cryptonator.com CNAME rpz-passthru.
*.cryptonator.com CNAME rpz-passthru.
Monitoring Incidents with The ELK stack
The ELK stack is a collection of three open source tools -
Elasticsearch + Logstash + Kibana
Monitoring Incidents with ELK stack
● Logs: Server logs that need to be analyzed are identified
● Logstash: Collect logs and events data. It even parses and
transforms data
● ElasticSearch: The transformed data from Logstash is Store,
Search, and indexed.
● Kibana: Kibana uses Elasticsearch DB to Explore, Visualize, and
Share
● Beats: Use to transport logs to the ELK stack
Day 1 - Over 1.3M Queries to RPZ Zones
Day 1 - Top 5 Results
RPZ logs from Various Nodes
Top Categories of threats
Top Catagories of threats
Top threats by Hostname
hosted by DNS of a malicious domain (coppersurfer.tk)
0--0.ml
0-00.ml
0-21.tk
000-daviotek.tk
000-default.tk
000000.ga
0002.tk
000web.tk
0010.ga
00gg.tk
00up.cf
0101.tk
0111.gq
022gay.com
028video.gq
02reg.tk
03essay.cf
0443622812.ga
05291123.tk
0599.tk
0815netz.tk
0900alternatieven.co
m
091617.cf
0ang3el.ml
0jav.cf
0jav.ga
0network.tk
0nlyyou.tk
Vulnerable Nodes with potential treats
Deep Dive in a incident:pubyun.com
pubyun.com was one of the top destination from monitoring and DNS
RPZ filtered the traffic.
A news from 2012 .But still it is active in the live network.
https://www.techinasia.com/microsoft-lawsuit-chinese-malware
It is also in the Sophos malaware analysis
https://www.sophos.com/en-us/threat-
center/threat-analyses/viruses-and-
spyware/Troj~MSIL-DXC/detailed-analysis.aspx
Deep dive in a incident:pubyun.com
https://www.joesandbox.com/analysis/37219/0/executive
Pubyun.com actually a hosting provider before that they operated as 3322.org
that hosted many malwares ,cryptomiers and used for malicious activities.Here is
a sample of malware that used pubyun.com.
Top malware destinations from infected nodes
RPZ Incident monitoring dashboard with Kibana
Resources
https://www.slideshare.net/BarryRGreene/binds-new-
security-feature-dnsrpz-the-quotdns-firewallquot
https://www.deteque.com/app/uploads/2018/04/Spamhau
s-DNS-RPZ-DROP-Setup-v.2.pdf
https://www.netcon-consulting.com
All Rights Reserved © 2019
Suman Kumar Saha
AmberIT Limited
suman@amberit.com.bd
Allan Watanabe
PIPELINE Security
www.pipelinesecurity.jp
THANK YOU!

More Related Content

What's hot

BIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To AdvancedBIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To AdvancedMustafa Golam
 
Domain naming system
Domain naming systemDomain naming system
Domain naming systemChinmoy Jena
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practicesMen and Mice
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamMyNOG
 
Security and Data Governance using Apache Ranger and Apache Atlas
Security and Data Governance using Apache Ranger and Apache AtlasSecurity and Data Governance using Apache Ranger and Apache Atlas
Security and Data Governance using Apache Ranger and Apache AtlasDataWorks Summit/Hadoop Summit
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
SIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingSIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingHossein Yavari
 
Caching solutions with Redis
Caching solutions   with RedisCaching solutions   with Redis
Caching solutions with RedisGeorge Platon
 
Configuration & Routing of Clos Networks
Configuration & Routing of Clos NetworksConfiguration & Routing of Clos Networks
Configuration & Routing of Clos NetworksCumulus Networks
 
Lesson 6: Dynamic Host Configuration Protocol A
Lesson 6: Dynamic Host Configuration Protocol ALesson 6: Dynamic Host Configuration Protocol A
Lesson 6: Dynamic Host Configuration Protocol AMahmmoud Mahdi
 
Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016Netgate
 
Monitoramento de serviços com Zabbix + Grafana + Python - Marcelo Santoto - D...
Monitoramento de serviços com Zabbix + Grafana + Python - Marcelo Santoto - D...Monitoramento de serviços com Zabbix + Grafana + Python - Marcelo Santoto - D...
Monitoramento de serviços com Zabbix + Grafana + Python - Marcelo Santoto - D...Felipe Blini
 
Expanding Asterisk with Kamailio
Expanding Asterisk with KamailioExpanding Asterisk with Kamailio
Expanding Asterisk with KamailioFred Posner
 
Alexei Vladishev - Zabbix - Monitoring Solution for Everyone
Alexei Vladishev - Zabbix - Monitoring Solution for EveryoneAlexei Vladishev - Zabbix - Monitoring Solution for Everyone
Alexei Vladishev - Zabbix - Monitoring Solution for EveryoneZabbix
 
Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsGabriella Davis
 
Redis persistence in practice
Redis persistence in practiceRedis persistence in practice
Redis persistence in practiceEugene Fidelin
 
[자바카페] Elasticsearch Aggregation (2018)
[자바카페] Elasticsearch Aggregation (2018)[자바카페] Elasticsearch Aggregation (2018)
[자바카페] Elasticsearch Aggregation (2018)용호 최
 

What's hot (20)

BIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To AdvancedBIND DNS IPWorks Introduction To Advanced
BIND DNS IPWorks Introduction To Advanced
 
Domain naming system
Domain naming systemDomain naming system
Domain naming system
 
Cisco CCNA- DHCP Server
Cisco CCNA-  DHCP ServerCisco CCNA-  DHCP Server
Cisco CCNA- DHCP Server
 
BIND 9 logging best practices
BIND 9 logging best practicesBIND 9 logging best practices
BIND 9 logging best practices
 
Deploying IPv6 on OpenStack
Deploying IPv6 on OpenStackDeploying IPv6 on OpenStack
Deploying IPv6 on OpenStack
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul Islam
 
Security and Data Governance using Apache Ranger and Apache Atlas
Security and Data Governance using Apache Ranger and Apache AtlasSecurity and Data Governance using Apache Ranger and Apache Atlas
Security and Data Governance using Apache Ranger and Apache Atlas
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
SIPREC RTPEngine Media Forking
SIPREC RTPEngine Media ForkingSIPREC RTPEngine Media Forking
SIPREC RTPEngine Media Forking
 
Caching solutions with Redis
Caching solutions   with RedisCaching solutions   with Redis
Caching solutions with Redis
 
Configuration & Routing of Clos Networks
Configuration & Routing of Clos NetworksConfiguration & Routing of Clos Networks
Configuration & Routing of Clos Networks
 
Lesson 6: Dynamic Host Configuration Protocol A
Lesson 6: Dynamic Host Configuration Protocol ALesson 6: Dynamic Host Configuration Protocol A
Lesson 6: Dynamic Host Configuration Protocol A
 
Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016
 
Monitoramento de serviços com Zabbix + Grafana + Python - Marcelo Santoto - D...
Monitoramento de serviços com Zabbix + Grafana + Python - Marcelo Santoto - D...Monitoramento de serviços com Zabbix + Grafana + Python - Marcelo Santoto - D...
Monitoramento de serviços com Zabbix + Grafana + Python - Marcelo Santoto - D...
 
Expanding Asterisk with Kamailio
Expanding Asterisk with KamailioExpanding Asterisk with Kamailio
Expanding Asterisk with Kamailio
 
Alexei Vladishev - Zabbix - Monitoring Solution for Everyone
Alexei Vladishev - Zabbix - Monitoring Solution for EveryoneAlexei Vladishev - Zabbix - Monitoring Solution for Everyone
Alexei Vladishev - Zabbix - Monitoring Solution for Everyone
 
Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin Tips
 
Redis persistence in practice
Redis persistence in practiceRedis persistence in practice
Redis persistence in practice
 
Zabbix
ZabbixZabbix
Zabbix
 
[자바카페] Elasticsearch Aggregation (2018)
[자바카페] Elasticsearch Aggregation (2018)[자바카페] Elasticsearch Aggregation (2018)
[자바카페] Elasticsearch Aggregation (2018)
 

Similar to Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP

PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)
PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)
PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)PROIDEA
 
Getting Started with a DNS Firewall
Getting Started with a DNS FirewallGetting Started with a DNS Firewall
Getting Started with a DNS FirewallAPNIC
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.Qrator Labs
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival GuideAPNIC
 
COSCUP 2019 - CDN in an Edge Box
COSCUP 2019 - CDN in an Edge BoxCOSCUP 2019 - CDN in an Edge Box
COSCUP 2019 - CDN in an Edge BoxShihta Kuan
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewMarketingArrowECS_CZ
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolJisc
 
Dns security threats and solutions
Dns security   threats and solutionsDns security   threats and solutions
Dns security threats and solutionsFrank Victory
 
Building a Linux IPv6 DNS Server Project review PPT v3.0 First review
Building a Linux IPv6 DNS Server Project review PPT v3.0 First reviewBuilding a Linux IPv6 DNS Server Project review PPT v3.0 First review
Building a Linux IPv6 DNS Server Project review PPT v3.0 First reviewHari
 
Running a Local Copy of the DNS Root Zone
Running a Local Copy of the DNS Root ZoneRunning a Local Copy of the DNS Root Zone
Running a Local Copy of the DNS Root ZoneAPNIC
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionRedge Technologies
 
Near Real-Time Network Anomaly Detection and Traffic Analysis using Spark bas...
Near Real-Time Network Anomaly Detection and Traffic Analysis using Spark bas...Near Real-Time Network Anomaly Detection and Traffic Analysis using Spark bas...
Near Real-Time Network Anomaly Detection and Traffic Analysis using Spark bas...DataWorks Summit/Hadoop Summit
 
Windows most important server questions for l1 level
Windows  most important server questions for l1 levelWindows  most important server questions for l1 level
Windows most important server questions for l1 levelIICT Chromepet
 
Implementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case studyImplementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case studyA. S. M. Shamim Reza
 

Similar to Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP (20)

Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
 
PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)
PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)
PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)
 
Getting Started with a DNS Firewall
Getting Started with a DNS FirewallGetting Started with a DNS Firewall
Getting Started with a DNS Firewall
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival Guide
 
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILDNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
 
COSCUP 2019 - CDN in an Edge Box
COSCUP 2019 - CDN in an Edge BoxCOSCUP 2019 - CDN in an Edge Box
COSCUP 2019 - CDN in an Edge Box
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider Overview
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security tool
 
DNS - MCSE 2019
DNS - MCSE 2019DNS - MCSE 2019
DNS - MCSE 2019
 
DNSTap Webinar
DNSTap WebinarDNSTap Webinar
DNSTap Webinar
 
Dns security threats and solutions
Dns security   threats and solutionsDns security   threats and solutions
Dns security threats and solutions
 
Building a Linux IPv6 DNS Server Project review PPT v3.0 First review
Building a Linux IPv6 DNS Server Project review PPT v3.0 First reviewBuilding a Linux IPv6 DNS Server Project review PPT v3.0 First review
Building a Linux IPv6 DNS Server Project review PPT v3.0 First review
 
Running a Local Copy of the DNS Root Zone
Running a Local Copy of the DNS Root ZoneRunning a Local Copy of the DNS Root Zone
Running a Local Copy of the DNS Root Zone
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solution
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
Near Real-Time Network Anomaly Detection and Traffic Analysis using Spark bas...
Near Real-Time Network Anomaly Detection and Traffic Analysis using Spark bas...Near Real-Time Network Anomaly Detection and Traffic Analysis using Spark bas...
Near Real-Time Network Anomaly Detection and Traffic Analysis using Spark bas...
 
Quad9 and DNS Privacy
Quad9 and DNS PrivacyQuad9 and DNS Privacy
Quad9 and DNS Privacy
 
Windows most important server questions for l1 level
Windows  most important server questions for l1 levelWindows  most important server questions for l1 level
Windows most important server questions for l1 level
 
Implementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case studyImplementation of DNS Anycast - a case study
Implementation of DNS Anycast - a case study
 

More from APNIC

IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAPNIC
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAPNIC
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsAPNIC
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemAPNIC
 

More from APNIC (20)

IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & Development
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry System
 

Recently uploaded

Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...ICT Watch - Indonesia
 
Power of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdfPower of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdfrajats19920
 
Tari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T ShirtsTari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T Shirtsrahman018755
 
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)ICT Watch - Indonesia
 
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...vmzoxnx5
 
Basic Security.pptx is a awsome PPT on your mobiel
Basic Security.pptx is a awsome PPT on your mobielBasic Security.pptx is a awsome PPT on your mobiel
Basic Security.pptx is a awsome PPT on your mobielpratamakiki860
 

Recently uploaded (6)

Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...Summary  ID-IGF 2016 National Dialogue  - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
 
Power of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdfPower of Social Media for E-commerce.pdf
Power of Social Media for E-commerce.pdf
 
Tari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T ShirtsTari Eason Warriors Come Out To Play T Shirts
Tari Eason Warriors Come Out To Play T Shirts
 
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)Summary  IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
 
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
 
Basic Security.pptx is a awsome PPT on your mobiel
Basic Security.pptx is a awsome PPT on your mobielBasic Security.pptx is a awsome PPT on your mobiel
Basic Security.pptx is a awsome PPT on your mobiel
 

Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP

  • 1. All Rights Reserved © 2019 Suman Kumar Saha AmberIT Limited suman@amberit.com.bd Allan Watanabe PIPELINE Security www.pipelinesecurity.net
  • 2. Safe Internet for ‘ALL’ Started brainstorming to find a suitable way to provide a secure internet to all of our users: Considerations: Easy implementation without deploying any hardware or without any change in CPE devices. Possible ways: • Router ACLs • Web proxy filter • Content-aware firewall • DNS Response Policy Zone (RPZ)
  • 3. DNS Response Policy Zone ● Over 91% percent malware uses DNS(As Cisco 2016 Annual Cyber security report) ● Nearly all the cryptominer stuffs uses DNS based C&C(As Cisco 2016 Annual Cyber security report) ● RPZ allows a recursive server to control the behavior of responses to queries. ● Administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. ● RPZ data is supplied as a DNS zone, and can be loaded from a file or retrieved over the network by AXFR/IXFR. ● It works like firewall on cloud. ● DNS RPZ will block DNS resolution, machines connecting to the C&C via IP address will not be blocked.
  • 4. DNS Response Policy Zone(RPZ) ● “DNS Firewall gives you the most bang for your buck” -Paul Vixie ● Reputation data is packaged into Response Policy Zones (RPZs) ● RPZ include both the filter criteria, and a response policy action ● BIND evaluates whether its response matches a filter in the RPZ and applies the policy specified ● RFC: https://tools.ietf.org/html/draft-ietf-dnsop-dns-rpz-00
  • 5. Core DNS Principles Master/ Primary DNS Slave/ Secondary DNS Caching Resolver DNS .org bdnog.org www.bdnog.org AXFR TSIG IXFR TSIG AXFR - Full Zone Transfers IXFR - Incremental Zone Transfers TSIG - Transaction SIGnature used to secure the AXFR/IXFR What is the IP for www.bdnog.org? Who is in charge of www.bdnog.org? www.bdnog.org is 202.4.96.213 .root
  • 6. .org bdnog.o rg .root DNS RPZ Master DNS RPZ Feed AXF R IXFR What is the IP for www.bdnog.org? Who is in charge of bdnog.org? www.bdnog.org www.bdnog.org is 202.4.96.213 RPZ Caching Resolver DNS * RPZ capability on the DNS Cashing Resolver allows zone transfers to be pushed out in seconds. Security Company
  • 7. DNS RPZ in Action Master DNS RPZ Feed RPZ Caching Resolver DNS AXFR IXFR What is the IP for badguys.com? badguys.com To find the bad guysSecurity Company What is the IP for badguys.com? SPAM Computer looks up Xyzbadness . com
  • 8. How is DNS RPZ Different? Master DNS RPZ Feed RPZ Caching Resolver DNS AXFR IXFR Security Company DNS RBL Some RBL User Update zone files Query Every time
  • 9. How is DNS RPZ Different? • DNS RPZ allows for multiple feeds. • Allows for industry incident feeds. • Allows for local incident management feeds. Resolver DNS RPZ Zone Files RPZ Feed Malware RPZ Feed C&C Hosts OPSEC InfoSec
  • 10. Components of the Criminal Cloud ● Spam Botnet ● Command & Control ● Drive-by Domains ● Malware ● Secondary Malware ● Proxy ● Payment Processors ● Mule Operations ● Packer ● TLD Domain ● Name Servers Mirai Avalanche Blackhole Zeus Cryptojackers Passwords Ransomware Malware Rootkit Call home
  • 11. Malicious Redirects E-commerce / Payments Security Updates Legitimate Abused antvirus.updates.com
  • 12. Scanning, Worming, & Spreading Bot Herder Email SMS SNS Vulnerable Malicious Infected Devices DNS C&C Botnet Step 1 Step 2 Step 3
  • 13. We can see the bot herders traffic. Domains are known to be malicious! & / DNS
  • 14. DNS RPZ would have stopped this attack! With RPZ you can detect, alert, block, and protect users. & / DNS rpz NSDNAME NXDOMAIN rewrite ns1.apple.com rpz QNAME NXDOMAIN rewrite botnet.com rpz QNAME NXDOMAIN rewrite malciousdomain.com
  • 16. Possible Uses Examples • Enterprise : Detect and stop malicious activities. • ISP : Investigate infected customer hosts. • SOC : Alert SOC team about malicious access • OEM : Protect IoT devices • ALL : Detect and sanitize your networks
  • 17. RPZ supported DNS Applications RPZ is native in several of the industry’s leading DNS platforms, including: ● BIND V9.8 (or greater) ● Power DNS recursor Numerous appliance vendors have enabled RPZ as well, including: ● Infoblox ● Efficient IP ● Bluecoat and many more
  • 18. RPZ Rule Let’s we want to rewrite any DNS queries for a specific hostname, but allow lookups to the domain and other hosts in that domain: host.filter.com IN CNAME . This result in an NXDOMAIN (Non existence) response for a query for “host.filter.com”
  • 19. Response Policy Triggers The rules in a Response Policy Zone consist of triggers or filters that identify what responses to modify, and policy actions to apply to these responses. Each rule can use one of five policy triggers and specify one of eight policy actions. QNAME RPZ-IP RPZ-NSDNAME RPZ-CLIENT-IPRPZ-NSIP
  • 20. Response Policy Actions GIVEN CNAME TCP-ONLY DROP PASSTHROUGH NXDOMAIN DISABLED NODATA Is the default action and define no overrides Name exists but there are no records of the requested type To redirect the user with a CNAME to a walled garden. Forces the resolver to use TCP for the query. Drop the query without any response to the client. Exempt the response from further policy processing. Domain does not exist.Most common policy used. All Policy Actions for this zone are disabled but all items are logged
  • 21. RPZ Logging Since we’re running RPZ, we definitely want to log any RPZ rewrites. To do that, we need to set up two things under the “logging” header. channel rpzlog { file "rpz.log" versions unlimited size 1000m; print-time yes; print-category yes; print-severity yes; severity info; }; category rpz { rpzlog; };
  • 22. Before Implementation ● At first implement on logging mode for at least for a week ● Restricted RPZ recursive server to use within the ACL ● Restricted users from using other recursive resolver servers ● Redirected DNS traffic to DNA RPZ recursive resolver (That’s important to bring users in safety net)
  • 23. RPZ Feed Providers ● Spamhaus ● Deteque ● PIPELINE Security ● Farsight security ● SURBL ● Threat Stop
  • 24. DNS Firewall: Implementation Case Study in an ISP ● Implemented RPZ in Amber IT that is one of the Major ISP in Bangladesh. ● Using RPZ feed from Spamhaus Deteque through Pipeline Security ,Japan. ● Used with BIND 9.11.3 Extended Support Version(ESV). ● Also tested with Powerdns recursor. ● Redirected all DNS recursive request from PoP routers to DNS RPZ enabled recursive name server to avoid adding new DNS server on every CPE. ● Added forwarder in current recursive DNS and forwarded all the recursive request to RPZ enabled name server. ● Used as RPZ passthrough
  • 25. Resources used for the implementation And one System Admin to cook those things One server for Bind LXD Container with Ubuntu 18.04 vCPU:8 cores,Memory : 8GB,Storage:100GB Second server ELK stack for data visualization. LXD Container with Ubuntu 18.04 vCPU:4 cores,Memory : 4GB,Storage:100GB RPZ zones Data feed from RPZ feed provider Any feed provider you can test free for one month .We have used from Spamhaus/deteque.
  • 26. Simple Installation:Bind Required time : Not more than 60 minutes From Bind 9.8 Bind is compatible and comes with RPZ support. For this case we have used ubuntu 18.04LTS. Installed bind with apt and no special patches needed for RPZ.
  • 27. Simple Installation:Adding RPZ zones Following RPZ zones were added at the end of the /etc/bind/named.conf.options using the response- policy.Bind currently has a 32 zone limit response-policy { zone "rpz.local"; ### 11 Standard Feeds zone "adware.host.dtq" policy passthru; zone "badrep.host.dtq" policy passthru; zone "bad-nameservers.ip.dtq" policy passthru ; zone "bad-nameservers.host.dtq" policy passthru; zone "bogons.ip.dtq"; zone "botnetcc.host.dtq"; zone "botnet.host.dtq" policy passthru; zone "botnetcc.ip.dtq" policy passthru; zone "dga.host.dtq" policy passthru; zone "malware.host.dtq"; zone "phish.host.dtq" policy passthru; ### Edited Feeds zone "adware.edit.host.dtq"; zone "badrep.edit.host.dtq"; zone "botnetcc.edit.host.dtq"; zone "botnet.edit.host.dtq"; zone "malware.edit.host.dtq"; zone "phish.edit.host.dtq"; ### Premium Feeds zone "zrd.host.dtq"; ### Free Feeds zone "drop.ips.dtq" policy passthru; ### Service Feeds zone "coinblock.srv"; zone "torblock.srv" policy passthru; };
  • 28. Simple Installation:Get RPZ data from provider RPZ zones will be downloaded from feed provided as a slave zone. zone "malware.edit.host.dtq" { type slave; file "dbx.malware.edit.host.dtq"; masters {199.168.xx.xx;199.168.xx.xx;199.168.xx.xx; }; allow-transfer { none; }; };
  • 29. Simple Installation:RPZ Incident Log Since we’re running RPZ, we definitely want to log any RPZ rewrites. To do that, we need to set up two things under the “logging” header. Add the RPZ log in /etc/bind/named.conf logging { channel null { null; }; channel bindlog { file "bind.log"; print-time yes; print-category yes; print-severity yes; severity info; };
  • 30. Bind Installation:Generating Log channel rpzlog { file "rpz.log" versions unlimited size 1000m; print-time yes; print-category yes; print-severity yes; severity info;}; category config { bindlog; };category xfer-in { bindlog; };category xfer- out { bindlog; }; category network { bindlog; };category update { bindlog; };category update-security { bindlog; }; category delegation-only { bindlog; }; category rpz { rpzlog; }; };
  • 31. RPZ Logs RPZ log take logs the queries to RPZ zones. ● The threat source IP ● destination of the for threat ● Categorization of the threat 27-Feb-2019 03:21:15.920 rpz: info: client @0x7f87f4094f60 118.179.89.xxx#60543 (qpxrg.com): rpz QNAME NXDOMAIN rewrite qpxrg.com via qpxrg.com.malware.host.dtq
  • 32. Whitelisting ● rpz.local placed in top among the RPZ zones for custom configuration in bind. ● On any false positive or on any issue we can whitelist a domain or IP or client IP if require. Some source/domains/IP whitelisted on user requirement : 32.xx.19x.179.118.rpz-ip IN CNAME rpz-passthru. 32.xx.19x.179.118.rpz-client-ip IN CNAME rpz-passthru. 32.xx.19x.179.118.rpz-nsip IN CNAME rpz-passthru. binance.com CNAME rpz-passthru. *.binance.com CNAME rpz-passthru. cryptonator.com CNAME rpz-passthru. *.cryptonator.com CNAME rpz-passthru.
  • 33. Monitoring Incidents with The ELK stack The ELK stack is a collection of three open source tools - Elasticsearch + Logstash + Kibana
  • 34. Monitoring Incidents with ELK stack ● Logs: Server logs that need to be analyzed are identified ● Logstash: Collect logs and events data. It even parses and transforms data ● ElasticSearch: The transformed data from Logstash is Store, Search, and indexed. ● Kibana: Kibana uses Elasticsearch DB to Explore, Visualize, and Share ● Beats: Use to transport logs to the ELK stack
  • 35. Day 1 - Over 1.3M Queries to RPZ Zones
  • 36. Day 1 - Top 5 Results
  • 37. RPZ logs from Various Nodes
  • 38. Top Categories of threats
  • 39. Top Catagories of threats
  • 40. Top threats by Hostname
  • 41. hosted by DNS of a malicious domain (coppersurfer.tk) 0--0.ml 0-00.ml 0-21.tk 000-daviotek.tk 000-default.tk 000000.ga 0002.tk 000web.tk 0010.ga 00gg.tk 00up.cf 0101.tk 0111.gq 022gay.com 028video.gq 02reg.tk 03essay.cf 0443622812.ga 05291123.tk 0599.tk 0815netz.tk 0900alternatieven.co m 091617.cf 0ang3el.ml 0jav.cf 0jav.ga 0network.tk 0nlyyou.tk
  • 42. Vulnerable Nodes with potential treats
  • 43. Deep Dive in a incident:pubyun.com pubyun.com was one of the top destination from monitoring and DNS RPZ filtered the traffic. A news from 2012 .But still it is active in the live network. https://www.techinasia.com/microsoft-lawsuit-chinese-malware It is also in the Sophos malaware analysis https://www.sophos.com/en-us/threat- center/threat-analyses/viruses-and- spyware/Troj~MSIL-DXC/detailed-analysis.aspx
  • 44. Deep dive in a incident:pubyun.com https://www.joesandbox.com/analysis/37219/0/executive Pubyun.com actually a hosting provider before that they operated as 3322.org that hosted many malwares ,cryptomiers and used for malicious activities.Here is a sample of malware that used pubyun.com.
  • 45. Top malware destinations from infected nodes
  • 46. RPZ Incident monitoring dashboard with Kibana
  • 48. All Rights Reserved © 2019 Suman Kumar Saha AmberIT Limited suman@amberit.com.bd Allan Watanabe PIPELINE Security www.pipelinesecurity.jp THANK YOU!