Strengthen your network security with Passive DNS

27.10.2015
Over the past few years, we’ve witnessed increasing attacks against DNS infrastructure: DDoS attacks against authoritative name servers, name servers used as amplifiers in DDoS attacks, compromised registrar accounts used to modify delegation information, cache poisoning attacks, and abuse of name servers by malware. Thankfully, we’ve also seen the concurrent development of powerful new mechanisms for combating those threats, including the DNS Security Extensions, response policy zones, and response rate limiting.

Perhaps the most promising means of enhancing DNS security, and the security of the Internet generally, has yet to be fully exploited. That’s Passive DNS data.

Passive DNS was invented by Florian Weimer in 2004 to combat malware. Basically, recursive name servers would log the responses they received from other name servers and replicate that logged data to a central database.

What would that logged data look like Well, recall how recursive name servers operate. When queried, they examine their cache and authoritative data for an answer, and if the answer isn’t present, they start by querying one of the root name servers and following referrals until they identify the authoritative name servers that know the answer, then query one of those authoritative name servers to retrieve the answer. It looks something like this:

Most Passive DNS data is captured immediately “above” the recursive name server, as indicated here:

That means Passive DNS data consists largely of referrals and answers from authoritative name servers on the Internet (along with errors, of course). This data is time-stamped, deduped, and compressed, then replicated to a central database for archiving and analysis.

Note that what’s captured is server-to-server communication, not queries from your stub resolvers to the recursive name server. (Stub resolvers sit “below” the recursive name server in the diagram.) That’s important for two reasons. First, there’s significantly less server-to-server talk than between a stub resolver and a recursive name server, only cache misses. Second, the server-to-server communication can’t easily be associated with a particular stub resolver, and therefore represents much less of a privacy concern.

How the Passive DNS data is collected varies. Some recursive name servers, including Knot and Unbound, include software hooks that make it easy to capture Passive DNS data. Administrators can use a free program called dnstap to read the Passive DNS data from the name server.

Folks running other name servers may use different tools on the host running the recursive name server to monitor traffic to the name server, or they may mirror the name server’s port to another host that records the data.

Various organizations run the databases to which Passive DNS “sensors” upload data. One of the most popular and best known is Farsight Security’s Passive DNS database, DNSDB. DNSDB contains data collected over several years by sensors all over the world. Other organizations running Passive DNS databases include the website VirusTotal, now owned by Google; the German consulting company BFK; the Computer Incident Response Center Luxembourg, CIRCL; and Estonia’s Computer Emergency Response Team, CERT-EE.

Queries of Passive DNS databases can yield a wealth of useful information. For example, you could query Passive DNS databases to determine what a DNS query for A records attached to www.infoblox.com returned in April 2012, or what name servers infoblox.com has used since then, or what other zones use that same set of name servers. Perhaps more significant, you could take an IP address you know is malicious and find all the domain names that Passive DNS sensors have recently mapped to that IP address.

Here are some of the many uses of Passive DNS:

Response policy zones (RPZs) provide an invaluable mechanism for closing the loop when malicious domain names are identified in Passive DNS data. RPZs are DNS zones whose contents are interpreted as rules. Those rules typically say things such as, “If anyone tries to look up A records for this domain name, return an error saying that domain name doesn’t exist.” Because RPZs are simply zones, they can be transferred around the Internet quickly and efficiently, and the policies they contain promptly enforced. Organizations that analyze Passive DNS data to identify malicious domain names can construct rules blocking resolution of those names and distribute them to subscribers around the Internet.

If you’re interested in contributing Passive DNS data from your recursive name servers, Farsight provides information on how to participate, including a step-by-step guide to setting up a Passive DNS sensor. You can also add RPZ feeds based on the analysis of Passive DNS data to help block the resolution of malicious domain names within your organization.

Cricket Liu is Infoblox's Chief DNS Architect and a Senior Fellow. He works with Infoblox customers to ensure their DNS implementations are robust and secure. He is a co-author of "DNS and BIND," one of the best-known books on the DNS.

New Tech Forum provides a venue to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to newtechforum@infoworld.com.

(www.networkworld.com)

By Cricket Liu

Zur Startseite