Turning the Tables on Malware

Share On Facebook
Share On Twitter
Share On Linkedin

It’s an unfortunate fact of life that name servers are exploited by malware.  Malware queries name servers to map the domain names that identify their command and control channel to IP addresses.  Malware uses DNS as a channel over which to transmit new code.  And  some malware targets name servers with distributed denial of service attacks.

The latest versions of BIND, however, enable DNS administrators to turn the tables on malware.

BIND 9.8 introduced a new facility called a Response Policy Zone, or RPZ.  An RPZ looks like a regular zone and contains resource records that  a normal zone would contain, but it’s interpreted very differently by the name server.  Most zones, of course, contain records that determine how a name server answers queries in that zone.  RPZs, on the other hand, contain records that determine how the name server answers queries for domain names in any zones.  For example, a record in an RPZ–which is really more a rule than a record–may tell the name server to answer queries for c-and-c.malware.org with an NXDOMAIN response, claiming that that domain name doesn’t exist.  If resolution of c-and-c-malware.org is necessary for the malware to determine how to proceed, this might cripple the malware.  Moreover, if the name server with the RPZ loaded also logs the fact that a given client sent a query for c-and-c.malware.org, that will help pinpoint the infection.

The rules in RPZs are expressive enough to:

  • Prevent the resolution of specified domain names (e.g., the aforementioned c-and-c.malware.org)
  • Prevent the resolution of specified RRsets (e.g., just c-and-c.malware.org‘s A records)
  • Prevent specified addresses from being returned (e.g., any A record pointing to an address on 192.168.0/24)

What’s more, a cottage industry has sprung up in providing RPZ feeds.  Several organizations offer RPZs that you can configure your name servers as secondary for.  These provide real-time, dynamic information about domain names and IP addresses currently being used for malicious activity on the Internet.  A name server outfitted with one of these RPZ feeds can detect and prevent many types of malicious activity on your network.

Obviously, RPZs are no substitute for a firewall, but on the other hand name servers with RPZs loaded can combat certain threats (i.e., those that are domain name-based) more easily–and earlier–than a firewall can.  I hope that they’ll become an important tool in our security toolbox.

Labels:

Cricket Liu

Chief DNS Architect at Infoblox

Cricket is one of the world’s leading experts on the Domain Name System (DNS), and serves as the liaison between Infoblox and the DNS community. Before joining Infoblox, he founded an Internet consulting and training company, Acme Byte & Wire, after running the hp.com domain at Hewlett-Packard. Cricket is a prolific speaker and author, having written a number of books including “DNS and BIND,” one of the most widely used references in the field, now in its fifth edition.

View All Posts
×