APNIC, profile picture
Uploaded byAPNIC
1,974 views

Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP

This document discusses implementing DNS Response Policy Zones (RPZ) to provide secure internet access for all users without requiring new hardware or client-side changes. It describes considerations for RPZ, how RPZ works to block malicious DNS resolutions, the components of a real-world implementation case study at a major Bangladeshi ISP, and monitoring results showing over 1.3 million queries to RPZ zones on the first day.

Embed presentation

All Rights Reserved © 2019 Suman Kumar Saha AmberIT Limited suman@amberit.com.bd Allan Watanabe PIPELINE Security www.pipelinesecurity.net
Safe Internet for ‘ALL’ Started brainstorming to find a suitable way to provide a secure internet to all of our users: Considerations: Easy implementation without deploying any hardware or without any change in CPE devices. Possible ways: • Router ACLs • Web proxy filter • Content-aware firewall • DNS Response Policy Zone (RPZ)
DNS Response Policy Zone ● Over 91% percent malware uses DNS(As Cisco 2016 Annual Cyber security report) ● Nearly all the cryptominer stuffs uses DNS based C&C(As Cisco 2016 Annual Cyber security report) ● RPZ allows a recursive server to control the behavior of responses to queries. ● Administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. ● RPZ data is supplied as a DNS zone, and can be loaded from a file or retrieved over the network by AXFR/IXFR. ● It works like firewall on cloud. ● DNS RPZ will block DNS resolution, machines connecting to the C&C via IP address will not be blocked.
DNS Response Policy Zone(RPZ) ● “DNS Firewall gives you the most bang for your buck” -Paul Vixie ● Reputation data is packaged into Response Policy Zones (RPZs) ● RPZ include both the filter criteria, and a response policy action ● BIND evaluates whether its response matches a filter in the RPZ and applies the policy specified ● RFC: https://tools.ietf.org/html/draft-ietf-dnsop-dns-rpz-00
Core DNS Principles Master/ Primary DNS Slave/ Secondary DNS Caching Resolver DNS .org bdnog.org www.bdnog.org AXFR TSIG IXFR TSIG AXFR - Full Zone Transfers IXFR - Incremental Zone Transfers TSIG - Transaction SIGnature used to secure the AXFR/IXFR What is the IP for www.bdnog.org? Who is in charge of www.bdnog.org? www.bdnog.org is 202.4.96.213 .root
.org bdnog.o rg .root DNS RPZ Master DNS RPZ Feed AXF R IXFR What is the IP for www.bdnog.org? Who is in charge of bdnog.org? www.bdnog.org www.bdnog.org is 202.4.96.213 RPZ Caching Resolver DNS * RPZ capability on the DNS Cashing Resolver allows zone transfers to be pushed out in seconds. Security Company
DNS RPZ in Action Master DNS RPZ Feed RPZ Caching Resolver DNS AXFR IXFR What is the IP for badguys.com? badguys.com To find the bad guysSecurity Company What is the IP for badguys.com? SPAM Computer looks up Xyzbadness . com
How is DNS RPZ Different? Master DNS RPZ Feed RPZ Caching Resolver DNS AXFR IXFR Security Company DNS RBL Some RBL User Update zone files Query Every time
How is DNS RPZ Different? • DNS RPZ allows for multiple feeds. • Allows for industry incident feeds. • Allows for local incident management feeds. Resolver DNS RPZ Zone Files RPZ Feed Malware RPZ Feed C&C Hosts OPSEC InfoSec
Components of the Criminal Cloud ● Spam Botnet ● Command & Control ● Drive-by Domains ● Malware ● Secondary Malware ● Proxy ● Payment Processors ● Mule Operations ● Packer ● TLD Domain ● Name Servers Mirai Avalanche Blackhole Zeus Cryptojackers Passwords Ransomware Malware Rootkit Call home
Malicious Redirects E-commerce / Payments Security Updates Legitimate Abused antvirus.updates.com
Scanning, Worming, & Spreading Bot Herder Email SMS SNS Vulnerable Malicious Infected Devices DNS C&C Botnet Step 1 Step 2 Step 3
We can see the bot herders traffic. Domains are known to be malicious! & / DNS
DNS RPZ would have stopped this attack! With RPZ you can detect, alert, block, and protect users. & / DNS rpz NSDNAME NXDOMAIN rewrite ns1.apple.com rpz QNAME NXDOMAIN rewrite botnet.com rpz QNAME NXDOMAIN rewrite malciousdomain.com
Real Sample today
Possible Uses Examples • Enterprise : Detect and stop malicious activities. • ISP : Investigate infected customer hosts. • SOC : Alert SOC team about malicious access • OEM : Protect IoT devices • ALL : Detect and sanitize your networks
RPZ supported DNS Applications RPZ is native in several of the industry’s leading DNS platforms, including: ● BIND V9.8 (or greater) ● Power DNS recursor Numerous appliance vendors have enabled RPZ as well, including: ● Infoblox ● Efficient IP ● Bluecoat and many more
RPZ Rule Let’s we want to rewrite any DNS queries for a specific hostname, but allow lookups to the domain and other hosts in that domain: host.filter.com IN CNAME . This result in an NXDOMAIN (Non existence) response for a query for “host.filter.com”
Response Policy Triggers The rules in a Response Policy Zone consist of triggers or filters that identify what responses to modify, and policy actions to apply to these responses. Each rule can use one of five policy triggers and specify one of eight policy actions. QNAME RPZ-IP RPZ-NSDNAME RPZ-CLIENT-IPRPZ-NSIP
Response Policy Actions GIVEN CNAME TCP-ONLY DROP PASSTHROUGH NXDOMAIN DISABLED NODATA Is the default action and define no overrides Name exists but there are no records of the requested type To redirect the user with a CNAME to a walled garden. Forces the resolver to use TCP for the query. Drop the query without any response to the client. Exempt the response from further policy processing. Domain does not exist.Most common policy used. All Policy Actions for this zone are disabled but all items are logged
RPZ Logging Since we’re running RPZ, we definitely want to log any RPZ rewrites. To do that, we need to set up two things under the “logging” header. channel rpzlog { file "rpz.log" versions unlimited size 1000m; print-time yes; print-category yes; print-severity yes; severity info; }; category rpz { rpzlog; };
Before Implementation ● At first implement on logging mode for at least for a week ● Restricted RPZ recursive server to use within the ACL ● Restricted users from using other recursive resolver servers ● Redirected DNS traffic to DNA RPZ recursive resolver (That’s important to bring users in safety net)
RPZ Feed Providers ● Spamhaus ● Deteque ● PIPELINE Security ● Farsight security ● SURBL ● Threat Stop
DNS Firewall: Implementation Case Study in an ISP ● Implemented RPZ in Amber IT that is one of the Major ISP in Bangladesh. ● Using RPZ feed from Spamhaus Deteque through Pipeline Security ,Japan. ● Used with BIND 9.11.3 Extended Support Version(ESV). ● Also tested with Powerdns recursor. ● Redirected all DNS recursive request from PoP routers to DNS RPZ enabled recursive name server to avoid adding new DNS server on every CPE. ● Added forwarder in current recursive DNS and forwarded all the recursive request to RPZ enabled name server. ● Used as RPZ passthrough
Resources used for the implementation And one System Admin to cook those things One server for Bind LXD Container with Ubuntu 18.04 vCPU:8 cores,Memory : 8GB,Storage:100GB Second server ELK stack for data visualization. LXD Container with Ubuntu 18.04 vCPU:4 cores,Memory : 4GB,Storage:100GB RPZ zones Data feed from RPZ feed provider Any feed provider you can test free for one month .We have used from Spamhaus/deteque.
Simple Installation:Bind Required time : Not more than 60 minutes From Bind 9.8 Bind is compatible and comes with RPZ support. For this case we have used ubuntu 18.04LTS. Installed bind with apt and no special patches needed for RPZ.
Simple Installation:Adding RPZ zones Following RPZ zones were added at the end of the /etc/bind/named.conf.options using the response- policy.Bind currently has a 32 zone limit response-policy { zone "rpz.local"; ### 11 Standard Feeds zone "adware.host.dtq" policy passthru; zone "badrep.host.dtq" policy passthru; zone "bad-nameservers.ip.dtq" policy passthru ; zone "bad-nameservers.host.dtq" policy passthru; zone "bogons.ip.dtq"; zone "botnetcc.host.dtq"; zone "botnet.host.dtq" policy passthru; zone "botnetcc.ip.dtq" policy passthru; zone "dga.host.dtq" policy passthru; zone "malware.host.dtq"; zone "phish.host.dtq" policy passthru; ### Edited Feeds zone "adware.edit.host.dtq"; zone "badrep.edit.host.dtq"; zone "botnetcc.edit.host.dtq"; zone "botnet.edit.host.dtq"; zone "malware.edit.host.dtq"; zone "phish.edit.host.dtq"; ### Premium Feeds zone "zrd.host.dtq"; ### Free Feeds zone "drop.ips.dtq" policy passthru; ### Service Feeds zone "coinblock.srv"; zone "torblock.srv" policy passthru; };
Simple Installation:Get RPZ data from provider RPZ zones will be downloaded from feed provided as a slave zone. zone "malware.edit.host.dtq" { type slave; file "dbx.malware.edit.host.dtq"; masters {199.168.xx.xx;199.168.xx.xx;199.168.xx.xx; }; allow-transfer { none; }; };
Simple Installation:RPZ Incident Log Since we’re running RPZ, we definitely want to log any RPZ rewrites. To do that, we need to set up two things under the “logging” header. Add the RPZ log in /etc/bind/named.conf logging { channel null { null; }; channel bindlog { file "bind.log"; print-time yes; print-category yes; print-severity yes; severity info; };
Bind Installation:Generating Log channel rpzlog { file "rpz.log" versions unlimited size 1000m; print-time yes; print-category yes; print-severity yes; severity info;}; category config { bindlog; };category xfer-in { bindlog; };category xfer- out { bindlog; }; category network { bindlog; };category update { bindlog; };category update-security { bindlog; }; category delegation-only { bindlog; }; category rpz { rpzlog; }; };
RPZ Logs RPZ log take logs the queries to RPZ zones. ● The threat source IP ● destination of the for threat ● Categorization of the threat 27-Feb-2019 03:21:15.920 rpz: info: client @0x7f87f4094f60 118.179.89.xxx#60543 (qpxrg.com): rpz QNAME NXDOMAIN rewrite qpxrg.com via qpxrg.com.malware.host.dtq
Whitelisting ● rpz.local placed in top among the RPZ zones for custom configuration in bind. ● On any false positive or on any issue we can whitelist a domain or IP or client IP if require. Some source/domains/IP whitelisted on user requirement : 32.xx.19x.179.118.rpz-ip IN CNAME rpz-passthru. 32.xx.19x.179.118.rpz-client-ip IN CNAME rpz-passthru. 32.xx.19x.179.118.rpz-nsip IN CNAME rpz-passthru. binance.com CNAME rpz-passthru. *.binance.com CNAME rpz-passthru. cryptonator.com CNAME rpz-passthru. *.cryptonator.com CNAME rpz-passthru.
Monitoring Incidents with The ELK stack The ELK stack is a collection of three open source tools - Elasticsearch + Logstash + Kibana
Monitoring Incidents with ELK stack ● Logs: Server logs that need to be analyzed are identified ● Logstash: Collect logs and events data. It even parses and transforms data ● ElasticSearch: The transformed data from Logstash is Store, Search, and indexed. ● Kibana: Kibana uses Elasticsearch DB to Explore, Visualize, and Share ● Beats: Use to transport logs to the ELK stack
Day 1 - Over 1.3M Queries to RPZ Zones
Day 1 - Top 5 Results
RPZ logs from Various Nodes
Top Categories of threats
Top Catagories of threats
Top threats by Hostname
hosted by DNS of a malicious domain (coppersurfer.tk) 0--0.ml 0-00.ml 0-21.tk 000-daviotek.tk 000-default.tk 000000.ga 0002.tk 000web.tk 0010.ga 00gg.tk 00up.cf 0101.tk 0111.gq 022gay.com 028video.gq 02reg.tk 03essay.cf 0443622812.ga 05291123.tk 0599.tk 0815netz.tk 0900alternatieven.co m 091617.cf 0ang3el.ml 0jav.cf 0jav.ga 0network.tk 0nlyyou.tk
Vulnerable Nodes with potential treats
Deep Dive in a incident:pubyun.com pubyun.com was one of the top destination from monitoring and DNS RPZ filtered the traffic. A news from 2012 .But still it is active in the live network. https://www.techinasia.com/microsoft-lawsuit-chinese-malware It is also in the Sophos malaware analysis https://www.sophos.com/en-us/threat- center/threat-analyses/viruses-and- spyware/Troj~MSIL-DXC/detailed-analysis.aspx
Deep dive in a incident:pubyun.com https://www.joesandbox.com/analysis/37219/0/executive Pubyun.com actually a hosting provider before that they operated as 3322.org that hosted many malwares ,cryptomiers and used for malicious activities.Here is a sample of malware that used pubyun.com.
Top malware destinations from infected nodes
RPZ Incident monitoring dashboard with Kibana
Resources https://www.slideshare.net/BarryRGreene/binds-new- security-feature-dnsrpz-the-quotdns-firewallquot https://www.deteque.com/app/uploads/2018/04/Spamhau s-DNS-RPZ-DROP-Setup-v.2.pdf https://www.netcon-consulting.com
All Rights Reserved © 2019 Suman Kumar Saha AmberIT Limited suman@amberit.com.bd Allan Watanabe PIPELINE Security www.pipelinesecurity.jp THANK YOU!

More Related Content

PPTX
NSX-T Architecture and Components.pptx
byAtif Raees
 
PDF
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"
byBarry Greene
 
PDF
What is SDN and how to approach it with Python
byJustin Park
 
PPT
OSPF- Multi area
byAhmed Ali
 
PDF
Shared Memory Communications-Direct Memory Access (SMC-D) Overview
byzOSCommserver
 
PDF
VSAN – Architettura e Design
byVMUG IT
 
PPT
Red Hat Ansible 적용 사례
byOpennaru, inc.
 
PDF
DoS ve DDoS Saldırıları ve Korunma Yöntemleri
byBGA Cyber Security
 
NSX-T Architecture and Components.pptx
byAtif Raees
 
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"
byBarry Greene
 
What is SDN and how to approach it with Python
byJustin Park
 
OSPF- Multi area
byAhmed Ali
 
Shared Memory Communications-Direct Memory Access (SMC-D) Overview
byzOSCommserver
 
VSAN – Architettura e Design
byVMUG IT
 
Red Hat Ansible 적용 사례
byOpennaru, inc.
 
DoS ve DDoS Saldırıları ve Korunma Yöntemleri
byBGA Cyber Security
 

What's hot

PDF
Etude pour la mise en place d'un Streaming TV
byRicardo SEBANY
 
PDF
Fosdem 18: Securing embedded Systems using Virtualization
byThe Linux Foundation
 
PPTX
Ccna rse chp2
bynewbie2019
 
PPTX
Spy hard, challenges of 100G deep packet inspection on x86 platform
byRedge Technologies
 
PDF
VLANs in the Linux Kernel
byKernel TLV
 
PDF
Zabbix Performance Tuning
byAlessandro Silva
 
PPTX
LTM essentials
bybharadwajv
 
PDF
Kernel Recipes 2017 - An introduction to the Linux DRM subsystem - Maxime Ripard
byAnne Nicolas
 
PPTX
Introduction to ibm cloud paks concept license and minimum config public
byPetchpaitoon Krungwong
 
PDF
Hands-on DNSSEC Deployment
byBangladesh Network Operators Group
 
PPTX
vSAN architecture components
byDavid Pasek
 
PDF
VMware - Virtual SAN - IT Changes Everything
byVMUG IT
 
PPTX
BGP Advanced topics
byOlivier Bonaventure
 
PDF
IPMI is dead, Long live Redfish
byBruno Cornec
 
PDF
Pod density comparison: VMware vSphere with Tanzu vs. a bare-metal approach ...
byPrincipled Technologies
 
PPTX
Business Case Of Desktop Virtualization
byMd Yousup Faruqu
 
PPTX
A day in the life of a VSAN I/O - STO7875
byDuncan Epping
 
PDF
Linux 4.x Tracing: Performance Analysis with bcc/BPF
byBrendan Gregg
 
PDF
Kernel Recipes 2015: Representing device-tree peripherals in ACPI
byAnne Nicolas
 
PPTX
ENSA_Module_8.pptx
byJoseLopez1854
 
Etude pour la mise en place d'un Streaming TV
byRicardo SEBANY
 
Fosdem 18: Securing embedded Systems using Virtualization
byThe Linux Foundation
 
Ccna rse chp2
bynewbie2019
 
Spy hard, challenges of 100G deep packet inspection on x86 platform
byRedge Technologies
 
VLANs in the Linux Kernel
byKernel TLV
 
Zabbix Performance Tuning
byAlessandro Silva
 
LTM essentials
bybharadwajv
 
Kernel Recipes 2017 - An introduction to the Linux DRM subsystem - Maxime Ripard
byAnne Nicolas
 
Introduction to ibm cloud paks concept license and minimum config public
byPetchpaitoon Krungwong
 
Hands-on DNSSEC Deployment
byBangladesh Network Operators Group
 
vSAN architecture components
byDavid Pasek
 
VMware - Virtual SAN - IT Changes Everything
byVMUG IT
 
BGP Advanced topics
byOlivier Bonaventure
 
IPMI is dead, Long live Redfish
byBruno Cornec
 
Pod density comparison: VMware vSphere with Tanzu vs. a bare-metal approach ...
byPrincipled Technologies
 
Business Case Of Desktop Virtualization
byMd Yousup Faruqu
 
A day in the life of a VSAN I/O - STO7875
byDuncan Epping
 
Linux 4.x Tracing: Performance Analysis with bcc/BPF
byBrendan Gregg
 
Kernel Recipes 2015: Representing device-tree peripherals in ACPI
byAnne Nicolas
 
ENSA_Module_8.pptx
byJoseLopez1854
 

Similar to Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP

PDF
Make the internet safe with DNS Firewall
byBangladesh Network Operators Group
 
PDF
Getting Started with a DNS Firewall
byAPNIC
 
PPTX
DNS RPZ in action HoW IS DNS DIFFERET.pptx
byssuser195cee
 
PDF
PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)
byPROIDEA
 
PPT
DNS Response Policy Zone dss(DNSRPZ).ppt
byssuser195cee
 
PPTX
The DNS Tunneling Blindspot
byBrian A. McHenry
 
PPTX
Infoblox - turning DNS from security target to security tool
byJisc
 
PPTX
THOTCON - The War over your DNS Queries
byJohn Bambenek
 
PDF
DNS как линия защиты/DNS as a Defense Vector
byPositive Hack Days
 
PDF
DNS in IR: Collection, Analysis and Response
bypm123008
 
PDF
Dns firewalls null-may2020
byn|u - The Open Security Community
 
PPTX
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
byJohn Bambenek
 
PDF
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
byallanjude
 
PPTX
Building RPZ into the Janet Network resolver service
byJisc
 
PPTX
2_Chapter 2_DNS.pptx
byhoangdinhhanh88
 
PDF
Denial of Service - Service Provider Overview
byMarketingArrowECS_CZ
 
PPTX
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
byOpenDNS
 
PPTX
DNS - MCSE 2019
byMilad Es'Haghi
 
PDF
Minieri CS6262 Project Poster
byJoe Minieri
 
PPTX
DNS Security
byinbroker
 
Make the internet safe with DNS Firewall
byBangladesh Network Operators Group
 
Getting Started with a DNS Firewall
byAPNIC
 
DNS RPZ in action HoW IS DNS DIFFERET.pptx
byssuser195cee
 
PLNOG 5: Paul Vixie - Response Policy Zones for the Domain Name System (DNS RPZ)
byPROIDEA
 
DNS Response Policy Zone dss(DNSRPZ).ppt
byssuser195cee
 
The DNS Tunneling Blindspot
byBrian A. McHenry
 
Infoblox - turning DNS from security target to security tool
byJisc
 
THOTCON - The War over your DNS Queries
byJohn Bambenek
 
DNS как линия защиты/DNS as a Defense Vector
byPositive Hack Days
 
DNS in IR: Collection, Analysis and Response
bypm123008
 
Dns firewalls null-may2020
byn|u - The Open Security Community
 
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
byJohn Bambenek
 
EuroBSDCon 2013 - Mitigating DDoS Attacks at Layer 7
byallanjude
 
Building RPZ into the Janet Network resolver service
byJisc
 
2_Chapter 2_DNS.pptx
byhoangdinhhanh88
 
Denial of Service - Service Provider Overview
byMarketingArrowECS_CZ
 
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
byOpenDNS
 
DNS - MCSE 2019
byMilad Es'Haghi
 
Minieri CS6262 Project Poster
byJoe Minieri
 
DNS Security
byinbroker
 

More from APNIC

PPTX
APNIC Report, presented at APAN 60 by Thy Boskovic
byAPNIC
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
byAPNIC
 
PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
byAPNIC
 
PDF
The Internet -By the Numbers, Sri Lanka Edition
byAPNIC
 
PDF
Triggering QUIC, presented by Geoff Huston at IETF 123
byAPNIC
 
PDF
DNSSEC Made Easy, presented at PHNOG 2025
byAPNIC
 
PDF
BGP Security Best Practices that Matter, presented at PHNOG 2025
byAPNIC
 
PDF
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
byAPNIC
 
PDF
IPv6 Deployment and Best Practices, presented by Makito Lay
byAPNIC
 
PDF
Cleaning up your RPKI invalids, presented at PacNOG 35
byAPNIC
 
PDF
The Internet - By the numbers, presented at npNOG 11
byAPNIC
 
PDF
Transmission Control Protocol (TCP) and Starlink
byAPNIC
 
PDF
DDoS in India, presented at INNOG 8 by Dave Phelan
byAPNIC
 
PDF
Global Networking Trends, presented at the India ISP Conclave 2025
byAPNIC
 
PDF
Make DDoS expensive for the threat actors
byAPNIC
 
PDF
Fast Reroute in SR-MPLS, presented at bdNOG 19
byAPNIC
 
PDF
DDos Mitigation Strategie, presented at bdNOG 19
byAPNIC
 
PDF
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
byAPNIC
 
PDF
APNIC Update - Global Synergy among the RIRs: Connecting the Regions
byAPNIC
 
PDF
Measuring Starlink Protocol Performance, presented at LACNIC 43
byAPNIC
 
APNIC Report, presented at APAN 60 by Thy Boskovic
byAPNIC
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
byAPNIC
 
RPKI Status Update, presented by Makito Lay at IDNOG 10
byAPNIC
 
The Internet -By the Numbers, Sri Lanka Edition
byAPNIC
 
Triggering QUIC, presented by Geoff Huston at IETF 123
byAPNIC
 
DNSSEC Made Easy, presented at PHNOG 2025
byAPNIC
 
BGP Security Best Practices that Matter, presented at PHNOG 2025
byAPNIC
 
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
byAPNIC
 
IPv6 Deployment and Best Practices, presented by Makito Lay
byAPNIC
 
Cleaning up your RPKI invalids, presented at PacNOG 35
byAPNIC
 
The Internet - By the numbers, presented at npNOG 11
byAPNIC
 
Transmission Control Protocol (TCP) and Starlink
byAPNIC
 
DDoS in India, presented at INNOG 8 by Dave Phelan
byAPNIC
 
Global Networking Trends, presented at the India ISP Conclave 2025
byAPNIC
 
Make DDoS expensive for the threat actors
byAPNIC
 
Fast Reroute in SR-MPLS, presented at bdNOG 19
byAPNIC
 
DDos Mitigation Strategie, presented at bdNOG 19
byAPNIC
 
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
byAPNIC
 
APNIC Update - Global Synergy among the RIRs: Connecting the Regions
byAPNIC
 
Measuring Starlink Protocol Performance, presented at LACNIC 43
byAPNIC
 

Recently uploaded

PDF
Xnspy vs FlexiSPY: 2025 Monitoring Comparison
byMichael Carter
 
PPTX
BIG DATA it is talking about the big data.pptx
byAbhishekGarg269
 
PDF
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
PPT
html-forms in web development-courseICT.
bymadz33
 
PDF
tokiohotellistening.pdf for tokiohotelfans
byrafaelgombos1234
 
PPTX
Ideathon template.pptx it is a ideathon template
bykonav71133
 
PDF
classification of elements and periodicity.pdf
byaryanshreya2010
 
PPTX
CaseStudy-CloudMigration -For USE CASE -Customer Success Info -6-Aug-25.pptx
bywinlentech
 
PPT
Memory Organization In Assembly Language
byumairmuhammad0409
 
PPTX
Types of Cryptograph Symmetric Ceaser cipher and also about Assymetric
byhamzaabdulqadeer11
 
PPTX
Introduction Digital Signal Processing.pptx
byumairmuhammad0409
 
PDF
Micro project .pdf drone technology Report
byRenitaMamgain
 
PPTX
Role of VMware and Cloud Computing in CyberSecurity.pptx
byalehanoor1325
 
PPTX
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
PPT
Lecture_3 Network Securityyyeyeyyeeyyeywy.ppt
bysawsan202
 
PPTX
COĞRAFYA ödevi 70 sayfa güzeldir hayırlı olsun
bydtilter
 
PPTX
Abhishek Jaiswal.ppt.pptx for you it is very useful for me and I am sharing w...
byabhishekjaiswal5th33
 
PDF
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
PPTX
PRITHVI theater, A true artist. Newzfeaturez.pptx
bysc05digital
 
PPTX
Computer Networks 01[1 using all terms].pptx
bywaqasahmedbhatti633
 
Xnspy vs FlexiSPY: 2025 Monitoring Comparison
byMichael Carter
 
BIG DATA it is talking about the big data.pptx
byAbhishekGarg269
 
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
html-forms in web development-courseICT.
bymadz33
 
tokiohotellistening.pdf for tokiohotelfans
byrafaelgombos1234
 
Ideathon template.pptx it is a ideathon template
bykonav71133
 
classification of elements and periodicity.pdf
byaryanshreya2010
 
CaseStudy-CloudMigration -For USE CASE -Customer Success Info -6-Aug-25.pptx
bywinlentech
 
Memory Organization In Assembly Language
byumairmuhammad0409
 
Types of Cryptograph Symmetric Ceaser cipher and also about Assymetric
byhamzaabdulqadeer11
 
Introduction Digital Signal Processing.pptx
byumairmuhammad0409
 
Micro project .pdf drone technology Report
byRenitaMamgain
 
Role of VMware and Cloud Computing in CyberSecurity.pptx
byalehanoor1325
 
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
Lecture_3 Network Securityyyeyeyyeeyyeywy.ppt
bysawsan202
 
COĞRAFYA ödevi 70 sayfa güzeldir hayırlı olsun
bydtilter
 
Abhishek Jaiswal.ppt.pptx for you it is very useful for me and I am sharing w...
byabhishekjaiswal5th33
 
WShell Gameplay and Games of Games of Games
byzramirezmtz9
 
PRITHVI theater, A true artist. Newzfeaturez.pptx
bysc05digital
 
Computer Networks 01[1 using all terms].pptx
bywaqasahmedbhatti633
 

Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP

  • 1.
    All Rights Reserved© 2019 Suman Kumar Saha AmberIT Limited suman@amberit.com.bd Allan Watanabe PIPELINE Security www.pipelinesecurity.net
  • 2.
    Safe Internet for‘ALL’ Started brainstorming to find a suitable way to provide a secure internet to all of our users: Considerations: Easy implementation without deploying any hardware or without any change in CPE devices. Possible ways: • Router ACLs • Web proxy filter • Content-aware firewall • DNS Response Policy Zone (RPZ)
  • 3.
    DNS Response PolicyZone ● Over 91% percent malware uses DNS(As Cisco 2016 Annual Cyber security report) ● Nearly all the cryptominer stuffs uses DNS based C&C(As Cisco 2016 Annual Cyber security report) ● RPZ allows a recursive server to control the behavior of responses to queries. ● Administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. ● RPZ data is supplied as a DNS zone, and can be loaded from a file or retrieved over the network by AXFR/IXFR. ● It works like firewall on cloud. ● DNS RPZ will block DNS resolution, machines connecting to the C&C via IP address will not be blocked.
  • 4.
    DNS Response PolicyZone(RPZ) ● “DNS Firewall gives you the most bang for your buck” -Paul Vixie ● Reputation data is packaged into Response Policy Zones (RPZs) ● RPZ include both the filter criteria, and a response policy action ● BIND evaluates whether its response matches a filter in the RPZ and applies the policy specified ● RFC: https://tools.ietf.org/html/draft-ietf-dnsop-dns-rpz-00
  • 5.
    Core DNS Principles Master/ Primary DNS Slave/ Secondary DNS Caching Resolver DNS .org bdnog.org www.bdnog.org AXFR TSIG IXFR TSIG AXFR- Full Zone Transfers IXFR - Incremental Zone Transfers TSIG - Transaction SIGnature used to secure the AXFR/IXFR What is the IP for www.bdnog.org? Who is in charge of www.bdnog.org? www.bdnog.org is 202.4.96.213 .root
  • 6.
    .org bdnog.o rg .root DNS RPZ MasterDNS RPZ Feed AXF R IXFR What is the IP for www.bdnog.org? Who is in charge of bdnog.org? www.bdnog.org www.bdnog.org is 202.4.96.213 RPZ Caching Resolver DNS * RPZ capability on the DNS Cashing Resolver allows zone transfers to be pushed out in seconds. Security Company
  • 7.
    DNS RPZ inAction Master DNS RPZ Feed RPZ Caching Resolver DNS AXFR IXFR What is the IP for badguys.com? badguys.com To find the bad guysSecurity Company What is the IP for badguys.com? SPAM Computer looks up Xyzbadness . com
  • 8.
    How is DNSRPZ Different? Master DNS RPZ Feed RPZ Caching Resolver DNS AXFR IXFR Security Company DNS RBL Some RBL User Update zone files Query Every time
  • 9.
    How is DNSRPZ Different? • DNS RPZ allows for multiple feeds. • Allows for industry incident feeds. • Allows for local incident management feeds. Resolver DNS RPZ Zone Files RPZ Feed Malware RPZ Feed C&C Hosts OPSEC InfoSec
  • 10.
    Components of theCriminal Cloud ● Spam Botnet ● Command & Control ● Drive-by Domains ● Malware ● Secondary Malware ● Proxy ● Payment Processors ● Mule Operations ● Packer ● TLD Domain ● Name Servers Mirai Avalanche Blackhole Zeus Cryptojackers Passwords Ransomware Malware Rootkit Call home
  • 11.
    Malicious Redirects E-commerce /Payments Security Updates Legitimate Abused antvirus.updates.com
  • 12.
    Scanning, Worming, &Spreading Bot Herder Email SMS SNS Vulnerable Malicious Infected Devices DNS C&C Botnet Step 1 Step 2 Step 3
  • 13.
    We can seethe bot herders traffic. Domains are known to be malicious! & / DNS
  • 14.
    DNS RPZ wouldhave stopped this attack! With RPZ you can detect, alert, block, and protect users. & / DNS rpz NSDNAME NXDOMAIN rewrite ns1.apple.com rpz QNAME NXDOMAIN rewrite botnet.com rpz QNAME NXDOMAIN rewrite malciousdomain.com
  • 15.
  • 16.
    Possible Uses Examples •Enterprise : Detect and stop malicious activities. • ISP : Investigate infected customer hosts. • SOC : Alert SOC team about malicious access • OEM : Protect IoT devices • ALL : Detect and sanitize your networks
  • 17.
    RPZ supported DNSApplications RPZ is native in several of the industry’s leading DNS platforms, including: ● BIND V9.8 (or greater) ● Power DNS recursor Numerous appliance vendors have enabled RPZ as well, including: ● Infoblox ● Efficient IP ● Bluecoat and many more
  • 18.
    RPZ Rule Let’s wewant to rewrite any DNS queries for a specific hostname, but allow lookups to the domain and other hosts in that domain: host.filter.com IN CNAME . This result in an NXDOMAIN (Non existence) response for a query for “host.filter.com”
  • 19.
    Response Policy Triggers Therules in a Response Policy Zone consist of triggers or filters that identify what responses to modify, and policy actions to apply to these responses. Each rule can use one of five policy triggers and specify one of eight policy actions. QNAME RPZ-IP RPZ-NSDNAME RPZ-CLIENT-IPRPZ-NSIP
  • 20.
    Response Policy Actions GIVEN CNAME TCP-ONLY DROP PASSTHROUGH NXDOMAIN DISABLED NODATA Isthe default action and define no overrides Name exists but there are no records of the requested type To redirect the user with a CNAME to a walled garden. Forces the resolver to use TCP for the query. Drop the query without any response to the client. Exempt the response from further policy processing. Domain does not exist.Most common policy used. All Policy Actions for this zone are disabled but all items are logged
  • 21.
    RPZ Logging Since we’rerunning RPZ, we definitely want to log any RPZ rewrites. To do that, we need to set up two things under the “logging” header. channel rpzlog { file "rpz.log" versions unlimited size 1000m; print-time yes; print-category yes; print-severity yes; severity info; }; category rpz { rpzlog; };
  • 22.
    Before Implementation ● Atfirst implement on logging mode for at least for a week ● Restricted RPZ recursive server to use within the ACL ● Restricted users from using other recursive resolver servers ● Redirected DNS traffic to DNA RPZ recursive resolver (That’s important to bring users in safety net)
  • 23.
    RPZ Feed Providers ●Spamhaus ● Deteque ● PIPELINE Security ● Farsight security ● SURBL ● Threat Stop
  • 24.
    DNS Firewall: ImplementationCase Study in an ISP ● Implemented RPZ in Amber IT that is one of the Major ISP in Bangladesh. ● Using RPZ feed from Spamhaus Deteque through Pipeline Security ,Japan. ● Used with BIND 9.11.3 Extended Support Version(ESV). ● Also tested with Powerdns recursor. ● Redirected all DNS recursive request from PoP routers to DNS RPZ enabled recursive name server to avoid adding new DNS server on every CPE. ● Added forwarder in current recursive DNS and forwarded all the recursive request to RPZ enabled name server. ● Used as RPZ passthrough
  • 25.
    Resources used forthe implementation And one System Admin to cook those things One server for Bind LXD Container with Ubuntu 18.04 vCPU:8 cores,Memory : 8GB,Storage:100GB Second server ELK stack for data visualization. LXD Container with Ubuntu 18.04 vCPU:4 cores,Memory : 4GB,Storage:100GB RPZ zones Data feed from RPZ feed provider Any feed provider you can test free for one month .We have used from Spamhaus/deteque.
  • 26.
    Simple Installation:Bind Required time: Not more than 60 minutes From Bind 9.8 Bind is compatible and comes with RPZ support. For this case we have used ubuntu 18.04LTS. Installed bind with apt and no special patches needed for RPZ.
  • 27.
    Simple Installation:Adding RPZzones Following RPZ zones were added at the end of the /etc/bind/named.conf.options using the response- policy.Bind currently has a 32 zone limit response-policy { zone "rpz.local"; ### 11 Standard Feeds zone "adware.host.dtq" policy passthru; zone "badrep.host.dtq" policy passthru; zone "bad-nameservers.ip.dtq" policy passthru ; zone "bad-nameservers.host.dtq" policy passthru; zone "bogons.ip.dtq"; zone "botnetcc.host.dtq"; zone "botnet.host.dtq" policy passthru; zone "botnetcc.ip.dtq" policy passthru; zone "dga.host.dtq" policy passthru; zone "malware.host.dtq"; zone "phish.host.dtq" policy passthru; ### Edited Feeds zone "adware.edit.host.dtq"; zone "badrep.edit.host.dtq"; zone "botnetcc.edit.host.dtq"; zone "botnet.edit.host.dtq"; zone "malware.edit.host.dtq"; zone "phish.edit.host.dtq"; ### Premium Feeds zone "zrd.host.dtq"; ### Free Feeds zone "drop.ips.dtq" policy passthru; ### Service Feeds zone "coinblock.srv"; zone "torblock.srv" policy passthru; };
  • 28.
    Simple Installation:Get RPZdata from provider RPZ zones will be downloaded from feed provided as a slave zone. zone "malware.edit.host.dtq" { type slave; file "dbx.malware.edit.host.dtq"; masters {199.168.xx.xx;199.168.xx.xx;199.168.xx.xx; }; allow-transfer { none; }; };
  • 29.
    Simple Installation:RPZ IncidentLog Since we’re running RPZ, we definitely want to log any RPZ rewrites. To do that, we need to set up two things under the “logging” header. Add the RPZ log in /etc/bind/named.conf logging { channel null { null; }; channel bindlog { file "bind.log"; print-time yes; print-category yes; print-severity yes; severity info; };
  • 30.
    Bind Installation:Generating Log channelrpzlog { file "rpz.log" versions unlimited size 1000m; print-time yes; print-category yes; print-severity yes; severity info;}; category config { bindlog; };category xfer-in { bindlog; };category xfer- out { bindlog; }; category network { bindlog; };category update { bindlog; };category update-security { bindlog; }; category delegation-only { bindlog; }; category rpz { rpzlog; }; };
  • 31.
    RPZ Logs RPZ logtake logs the queries to RPZ zones. ● The threat source IP ● destination of the for threat ● Categorization of the threat 27-Feb-2019 03:21:15.920 rpz: info: client @0x7f87f4094f60 118.179.89.xxx#60543 (qpxrg.com): rpz QNAME NXDOMAIN rewrite qpxrg.com via qpxrg.com.malware.host.dtq
  • 32.
    Whitelisting ● rpz.local placedin top among the RPZ zones for custom configuration in bind. ● On any false positive or on any issue we can whitelist a domain or IP or client IP if require. Some source/domains/IP whitelisted on user requirement : 32.xx.19x.179.118.rpz-ip IN CNAME rpz-passthru. 32.xx.19x.179.118.rpz-client-ip IN CNAME rpz-passthru. 32.xx.19x.179.118.rpz-nsip IN CNAME rpz-passthru. binance.com CNAME rpz-passthru. *.binance.com CNAME rpz-passthru. cryptonator.com CNAME rpz-passthru. *.cryptonator.com CNAME rpz-passthru.
  • 33.
    Monitoring Incidents withThe ELK stack The ELK stack is a collection of three open source tools - Elasticsearch + Logstash + Kibana
  • 34.
    Monitoring Incidents withELK stack ● Logs: Server logs that need to be analyzed are identified ● Logstash: Collect logs and events data. It even parses and transforms data ● ElasticSearch: The transformed data from Logstash is Store, Search, and indexed. ● Kibana: Kibana uses Elasticsearch DB to Explore, Visualize, and Share ● Beats: Use to transport logs to the ELK stack
  • 35.
    Day 1 -Over 1.3M Queries to RPZ Zones
  • 36.
    Day 1 -Top 5 Results
  • 37.
    RPZ logs fromVarious Nodes
  • 38.
  • 39.
  • 40.
  • 41.
    hosted by DNSof a malicious domain (coppersurfer.tk) 0--0.ml 0-00.ml 0-21.tk 000-daviotek.tk 000-default.tk 000000.ga 0002.tk 000web.tk 0010.ga 00gg.tk 00up.cf 0101.tk 0111.gq 022gay.com 028video.gq 02reg.tk 03essay.cf 0443622812.ga 05291123.tk 0599.tk 0815netz.tk 0900alternatieven.co m 091617.cf 0ang3el.ml 0jav.cf 0jav.ga 0network.tk 0nlyyou.tk
  • 42.
    Vulnerable Nodes withpotential treats
  • 43.
    Deep Dive ina incident:pubyun.com pubyun.com was one of the top destination from monitoring and DNS RPZ filtered the traffic. A news from 2012 .But still it is active in the live network. https://www.techinasia.com/microsoft-lawsuit-chinese-malware It is also in the Sophos malaware analysis https://www.sophos.com/en-us/threat- center/threat-analyses/viruses-and- spyware/Troj~MSIL-DXC/detailed-analysis.aspx
  • 44.
    Deep dive ina incident:pubyun.com https://www.joesandbox.com/analysis/37219/0/executive Pubyun.com actually a hosting provider before that they operated as 3322.org that hosted many malwares ,cryptomiers and used for malicious activities.Here is a sample of malware that used pubyun.com.
  • 45.
    Top malware destinationsfrom infected nodes
  • 46.
    RPZ Incident monitoringdashboard with Kibana
  • 47.
  • 48.
    All Rights Reserved© 2019 Suman Kumar Saha AmberIT Limited suman@amberit.com.bd Allan Watanabe PIPELINE Security www.pipelinesecurity.jp THANK YOU!