DNS Firewall with Response Policy Zone
Suman Kumar Saha bdCERT [email protected] Amber IT Limited [email protected] DNS Response Policy Zone(RPZ) as Firewall
● RPZ allows a recursive server to control the behavior of responses to queries. ● Administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. ● RPZ data is supplied as a DNS zone, and can be loaded from a file or retrieved over the network by AXFR/IXFR. ● It works like firewall on cloud. ● DNS RPZ will block DNS resolution, machines connecting to the C&C via IP address will not be blocked. DNS Response Policy Zone(RPZ)
● Reputation data is packaged into Response Policy Zones (RPZs) ● RPZ’s update frequently via IXFR/AXFR ● RPZ include both the filter criteria, and a response policy action ● BIND evaluates whether its response matches a filter in the RPZ and applies the policy specified ● RFC: https://tools.ietf.org/html/draft-ietf-dnsop-dns-rpz-00 Why We Need DNS RPZ? Ways of Content Filtering
• Router ACLs • Web proxy filter • Content-aware firewall • DNS RPZ Core DNS Principles .root
Who is in charge of .org Master/ www.bdnog.org? Primary DNS bdnog.org
www.bdnog.org TSIG IXFR TSIG AXFR
Caching www.bdnog.org is 202.4.96.213 Slave/ Resolver Secondary DNS DNS What is the IP for www.bdnog.org?
AXFR - Full Zone Transfers IXFR - Incremental Zone Transfers TSIG - Transaction SIGnature used to secure the AXFR/IXFR DNS RPZ .root Security Company .org Master DNS Who is in charge of bdnog.org? RPZ bdnog.org
AX FR www.bdnog.org IXFR RPZ www.bdnog.org is 202.4.96.213 Caching Resolver DNS RPZ capability on the DNS Cashing Resolver What is the IP for allows zone transfers to www.bdnog.org? be pushed out in seconds. DNS RPZ in Action
To find the Security Company bad guys badguys.com Master DNS RPZ
AX FR
IX FR RPZ Caching Resolver DNS
What is the IP for badguys.com? What is the IP for badguys.com? SPAM Computer looks up Xyzbadness. com How is DNSRPZ Different? Security Company
Master DNS DNS RPZ RBL Update zone files AXFR IXFR
Some RBL User RPZ Query Every time Caching Resolver DNS How is DNSRPZ Different?
RPZ feed 1 • DNSRPZ allows for multiple providers – building a richer list of RPZ feed 2 “bad domains” • Allows for industry incident feeds. RPZ AXFR • Allows for local incident OPSEC Caching management feeds. Incident IXFR Resolver DNS INFOSEC or Security Team What DNS Firewall Can block Using RPZ • Phishing : When a user clicks on a link in an email, for example from a fake banking site, you can intercept the lookup of that site.
• Malware: When a user attempts to navigate to a domain name known to host malware, you can redirect them to a site of your own with instructions on scanning their computer.
• Ransomware: Ransomware, is a type of malware in which someone takes over assets on your network and blocks access to them until you pay a ransom. This is a rapidly growing threat.
• Botnet Command and Control sites :When devices inside your network attempt to contact suspected botnet command central, drop the queries, and log them for analysis and followup.
• Identify Infected Machines: By analyzing the query logs, you can track down the machines in your network that are attempting to contact these abuse sites, and clean up any infections or botnet code. Components of the Criminal Cloud
Payment SPAM Processors BOTNET Secondary Drive-By Controller Proxy Malware
Mule Operations Avalanche: SPAM Cloud that you
Name can lease time Servers Zeus: Build your Own Criminal Cloud. BOT BlackHole: Metasploit Cloud you Herder can lease Malware
Victim of Crime TLD Domain Packer Stage Domain Name
SPAM BOTNET Secondary Drive-By Controller Proxy Malware
Get Name Domain Servers Stag e Do BOT main Stage on NS Herder
Malware
Victim of Crime TLD Domain Packer Prepare Drive-By
Send Malware SPAM Drive-By Secondary Controller Proxy BOTNET Malware
Load Name Malware Servers
Hacker
Malware
Victim of Crime TLD Domain
Packer Social Engineered SPAM to Get People to Click
(Spear Phishing)
Send SPAM SPAM Drive-By Secondary Controller Proxy BOTNET Malware
Name Click on Servers me now Hacker
Malware
Victim of Crime TLD Domain
Packer Drive-By Violation
Click on me now
SPAM Drive-By Secondary Controller Proxy BOTNET Malware
Name Servers
Hacker
Malware
Victim of Crime TLD Domain
Packer Drive-By Violation
SPAM Drive-By Secondary Controller Proxy BOTNET Malware
Name Servers
Hacker Owned!
Malware
Victim of Crime TLD Domain
Packer Poison Anti-Virus Updates
SPAM Drive-By Secondary Controller Proxy BOTNET Malware
Name Servers Poison the anti-virus updates Hacker All updates to 127.0.0.1 Anti-Virus Malware Vendor
Victim of Crime TLD Domain
Packer Prepare Violated Computer
SPAM Drive-By Secondary Controller Proxy BOTNET Malware
Name Servers Call to secondary Malware site Hacker Load secondary package Anti-Virus Malware Vendor
Victim of Crime TLD Domain
Packer Call Home
SPAM Drive-By Secondary Controller Proxy BOTNET Malware
Name Servers Call to Controller Report: § Operating System Hacker § Anti-Virus § Location on the Net Malware § Software § Patch Level Victim of Crime § Bandwidth TLD § Capacity of the computer Domain
Packer Load Custom Malware
Secondary SPAM Drive-By Controller Proxy BOTNET Malware
Name Go get New Servers Module
Hacker
Malware
TLD Victim of Crime Domain
Packer Start Worming, Scanning, & Spreading
Drive-By Secondary Controller Proxy SPAM Malware BOTNET
Name Servers BOTNET Herder Malware IPv6 IPv6 Victims of Crime
TLD Packer Domain The Domain names were Black Listed! We know the SPAM addresses We can see this guy’s SPAM Secondary DNS Drive-By Controller Proxy BOTNET Malware Activity!
We knew the infrastructure We knew the addresses! controller Name addresses! Servers BOT
We knew the NS Herder used for the We knew Malware criminal activity! the back end systems! TLD Victim of Crime Domain We needed to stop this computer from doing all the Packer DNS lookups to bad domains! DNS RPZ would have stopped this attack!
Send SPAM SPAM Drive-By Secondary Controller Proxy BOTNET Malware
Name Servers Blacklisted with DNSRPZ Hacker
Malware
Victim of Crime NOC TLD Alert! Domain
Packer Possible Uses Examples • Enterprise networks can us it to stop infections – and let NOC know something is wrong. • Hosting Provider can use it to block infected customer host – and let NOC know something is wrong. • Service Providers – can use it to protect customers AND notify customer AND let the help desk know customers might be infected. RPZ supported DNS Applications
RPZ is native in several of the industry’s leading DNS platforms, including:
● BIND V9.9 (or greater) ● Power DNS Numerous appliance vendors have enabled RPZ as well, including:
● Infoblox ● Efficient IP ● BlueCat RPZ Rule
Let’s say we want to rewrite any DNS queries for a specific hostname, but allow lookups to the domain and other hosts in that domain: host.filter.com IN CNAME .
This result in an NXDOMAIN (Non existence) response for a query for “host.filter.com” Response Policy Triggers The rules in a Response Policy Zone consist of triggers or filters that identify what responses to modify, and policy actions to apply to these responses. Each rule can use one of five policy triggers and specify one of eight policy actions.
● by the query name. [QNAME] ● by an address which would be present in a truthful response. [RPZ-IP] ● by the name or address of an authoritative name server responsible for publishing the original response. [RPZ- NSDNAME and RPZ-NSIP] ● by the IP address of the DNS client [RPZ-CLIENT-IP] Response Policy Actions
● to synthesize a “domain does not exist” response. [NXDOMAIN] ● to synthesize a “name exists but there are no records of the requested type” response. [NODATA] ● to redirect the user via a CNAME to a walled garden [CNAME example.org ● to replace the response with specified data. [Local Data] ● to require the client to re-submit the query via TCP [CNAME rpz-tcp- only] ● to exempt the response from further policy processing. [DISABLED, CNAME rpz-passthru] ● to drop the query, without any response to the client [CNAME rpz- drop] RPZ Logging
Since we’re running RPZ, we definitely want to log any RPZ rewrites. To do that, we need to set up two things under the “logging” header.
channel rpzlog { file "rpz.log" versions unlimited size 1000m; print-time yes; print-category yes; print-severity yes; severity info; }; category rpz { rpzlog; }; CONFIGURE A SLAVE RPZ ZONE
zone "drop.rpz.spamhaus.org" { type slave; file "dbx.drop.rpz.spamhaus.org"; masters { X.X.X.X; X.X.X.X; }; allow-transfer { none; }; allow-query { localhost; }; }; Configuring Response Policy Zones
Bind currently has a 32 zone limit. RPZ zones are specified in the response-policy section: response-policy { zone "rpz-local"; zone "tor-exit-nodes.local"; zone "bogon.rpz.spamhaus.org"; zone "botnetcc.rpz.spamhaus.org"; zone "malware.rpz.spamhaus.org"; zone "malware-adware.rpz.spamhaus.org"; zone "malware-aggressive.rpz.spamhaus.org"; zone "bad-nameservers.rpz.spamhaus.org"; zone "drop.rpz.spamhaus.org"; }; Before Implementation
● At first implement on logging mode for at least for a week ● Use TSIG to transfer the RPZ zone ● Restricted RPZ recursive server to use from all ● Restricted users from using other name servers RPZ Feed Providers
● Spamhaus/Deteque/SecurityZone ● Farsight security ● SURBL ● SWITCH ● Threat Stop Implementation Case Study in an ISP in BD
● Using RPZ feed from SecurityZone with Bind (http://www.securityzones.net/images/downloads/BIND_ RPZ_Installation_Guide.pdf ) ● Redirected all DNS recursive request to RPZ name server ● Provided service for 390 devices using recursive DNS ● Name server hits 23000000 in a month. ● Domain blocked 55435 ● Number of infected device detected 32 ● Simple and easy approach to implement