For this year’s National Cybersecurity Awareness month, let’s take a closer look at the defensive opportunities provided by the Domain Name System (DNS), as well as the critical role DNS plays in protecting organizations against phishing and other cyberattacks. DNS is considered part of the “Internet Dial-tone.” While your users may never have even heard of DNS, without it the Internet is effectively broken. The architectural positioning of DNS means it is in the ideal vantage point to see attacks coming and the perfect control-point to defend your environment. By leveraging DNS-based tools, you, too, can enjoy the added security and privacy.
Defense-in-Depth With RPZ: A DNS Firewall
With rare exception, everything we do on the Internet starts with a DNS lookup, also known as a “query.” The open nature of the protocol means that all Internet-connected devices share the same experience. A well-designed environment uses a nearby recursive resolver to answer all local device DNS queries. This proximity is critical for both performance and privacy. Answering queries from a cache located in your network reduces the external visibility of traffic. Getting the client answers quickly from that local cache is key to a high-performance user experience.
If a DNS resolution fails for a popular website, your users may complain of degraded service. But if that site turns out to be a phishing site or a drive-by download page, this “failure” is actually a win for the good guys. The DNS is the perfect place to establish an additional perimeter around your environment. No matter the OS or platform, every device on your network uses the DNS. Proper DNS configuration is required for normal operation, so no additional agent or configuration is required. Interrupting lookups to dangerous or suspect sites is an effective way to stop many threats.
A favorite tool to implement this “DNS Firewall” capability is called Response Policy Zones (RPZ). RPZ is an add-on available for some common recursive nameservers, and enables IT administrators to configure the resolver to consult externally sourced, policy zones prior to answering every DNS lookup. These zones follow a published format that anyone can use to create and publish their own policy zones. This format enables a community of RPZ zones both free and paid from a diverse set of vendors and contributors. An administrator can mix-and-match zones based on their system’s unique requirements to effectively provide tailor-made protection.
RPZ: How It Works
The RPZ format is quite expressive, allowing the author and publisher of a policy zone to indicate any number of potential match conditions. An RPZ-enabled resolver can trigger on customizable, specified conditions such as:
- The IP retuned from a query matches a record in the RPZ;
- The name queried (or returned) matches a record in the RPZ;
- A nameserver consulted while satisfying this query had a name that matched a record in the RPZ; and/or
- The IP of a name-server consulted while satisfying this query matched a record in the zone.
Further enhancing the range of possible complexity, names in rules can also include wildcards (e.g., all hostnames under a given domain name) and IP address can be in single address or CIDR format.
When a match is detected in the DNS query or response, the RPZ engine on the resolver takes the appropriate action based on administrator-configured policies. One common action is to interrupt the query by either simulating the response of a domain that doesn’t exist (NXDOMAIN) or by ignoring the query entirely (DROP). Another action would be to replace the intended result from the authoritative server with your own result. This is useful for creating walled-gardens or triggering support activities. The query can also be configured to complete normally, which is particularly useful for white-lists or logging.
Privacy is always a key factor when considering security solution architecture. Moving your recursive resolution services from an ISP or a remote service to an internal service improves privacy. The caching provided by recursive resolvers acts as an abstraction layer. Frequent identical queries to a local resolver become one “cache miss” query to an authority server. This process also replaces the source IP address of every device on your network with one set of resolver addresses. This makes it much harder for an interloper to identify the activity stream of any one user. Moving your recursive resolvers internal also enables you to leverage the security capabilities offered by RPZ.
RPZ provides extensive capabilities for network defense by leveraging the DNS infrastructure that many networks already provide. The combination of the rich matching capabilities and the powerful actions offered by RPZ makes it an effective addition to any defense-in-depth strategy. Add to that the optimal positioning of the DNS in every Internet transaction and you have a powerful tool for detecting and preventing any attacks that start with a DNS lookup. Moving your DNS resolution inside your network gives you increased performance and added control over the lookups that your devices make. The flexibility of RPZ responses and diversity of the available zones allow you maximum control of your network.