Source: Own Illustration
In the first part of this blog series on the Domain Name System (DNS), we explained various technical details. The very fact that DNS servers are consulted to convert computer names into IP addresses means that the system plays a very central role in the functioning of the Internet.
DNS in the Focus of Attackers
Due to the central and vital role of the DNS, attackers soon turned their attention to this system. In addition to attacks on the actual implementation of the service (classic denial of service, exploit of vulnerabilities) or its functionality (e.g. cache poisoning or hijacking), the stored content, i.e. DNS entries, are increasingly being misused for attacks.
This takes advantage of the fact that the DNS is organized very decentrally. This means that not only are the servers with the databases distributed around the world, but there is also no central authority that can determine which domain names may or may not be entered in the DNS. If an attacker wants to fake a legitimate website, for example, there will be DNS providers somewhere in the world who take little care and allow very similar domain names to be entered.
DNS as a Communication Channel for Malware
Another dubious use of the DNS is that DNS entries can be used to allow certain malware to establish communication with the outside world and receive commands (command and control servers), for example. Even the malware itself could be placed in DNS records. Another aspect is that by using the DNS, it is not only possible to retrieve information, but also to transmit information to the outside world by means of queries. Attackers therefore also use DNS to exfiltrate internal information or, more generally, to transport malicious information. DNS is also used for such unwanted purposes because it is a fundamental service that cannot and does not want to be switched off, for example.
The DNS Firewall at RWTH
In order to ward off malware that frequently uses such mechanisms, the Security Operation Center (SOC) at RWTH has introduced a DNS firewall as a new protective measure, which is based on the concept of Response Policy Zones (RPZ). This technology is already integrated into the software product that RWTH uses on its DNS servers. This makes it possible to specifically block or redirect responses to dubious DNS queries – even before actual contact is made with a potentially dangerous target system. If you have lists of such dubious domain names, you can either not answer the query at all or return modified answers based on them.
In Part 1, we already mentioned that requesting clients communicate with locally configured caching DNS servers in order to obtain information from the DNS. Our DNS firewall is implemented there accordingly. If a client infected with malware attempts to obtain information about a malicious server from the DNS in order to contact it, the DNS firewall intervenes at this point and first checks whether the requested name is on one of the lists mentioned. If it is, it responds as if the domain does not even exist.
Control through Response Policy Zones (RPZ)
In the DNS server product we use, lists of DNS entries that require special handling are implemented via a mechanism called Response Policy Zones (RPZ), in which these entries are stored in so-called zone files. The entries in these files are based on DNS names, including the possibility of wildcard spellings. Such an orientation towards names instead of IP addresses offers the advantage of significantly better granularity and flexibility. For example, in the case of web hosts where a large number of domain names point to the same IP address, the malicious website can be specifically blocked without making all other websites at this address inaccessible. This mechanism is therefore also very effective against the aforementioned command and control servers.
In order to counter the rapidly changing threats, the DNS firewall database is updated automatically. We obtain appropriately maintained lists of domain names that have attracted negative attention from the German DFN association, the Swiss research and education network SWITCH and the provider abuse.ch (“ThreatFox”), among others. In addition, RWTH Aachen University also maintains its own list, which takes precedence over the data obtained from third parties. On the one hand, this serves to keep the response time between our own detection and the neutralization of problematic requests as short as possible. On the other hand, we can use it to adapt the behavior of the DNS firewall to local requirements.
Support for Problems with Blocked Domains
Queries from the university to the RWTH DNS servers are therefore checked before being forwarded, and if the domain is harmless from the point of view of the DNS firewall, the response is sent to the requesting device as usual. Normal network usage should therefore not be negatively affected in this way, while at the same time security threats that exploit the DNS are countered.
If, contrary to expectations, individual DNS queries do not work as usual, you can contact us via the IT-ServiceDesk. The change request will then be passed on to the specialist department.
This concludes the second part of our blog series on the DNS. Look forward to more technical articles from the field of data networks.
Responsible for the content of this article are Bernd Kohler and Christoph Viethen.
Leave a Reply