DNS Firewall with Response Policy Zone. Suman Kumar Saha bdcert Amber IT Limited

Transcription

1 DNS Firewall with Response Policy Zone Suman Kumar Saha bdcert Amber IT Limited

2 DNS Response Policy Zone(RPZ) as Firewall RPZ allows a recursive server to control the behavior of responses to queries. Administrator to overlay custom information on top of the global DNS to provide alternate responses to queries. RPZ data is supplied as a DNS zone, and can be loaded from a file or retrieved over the network by AXFR/IXFR. It works like firewall on cloud. DNS RPZ will block DNS resolution, machines connecting to the C&C via IP address will not be blocked.

3 DNS Response Policy Zone(RPZ) Reputation data is packaged into Response Policy Zones (RPZs) RPZ s update frequently via IXFR/AXFR RPZ include both the filter criteria, and a response policy action BIND evaluates whether its response matches a filter in the RPZ and applies the policy specified RFC:

4 Why We Need DNS RPZ?

5 Ways of Content Filtering Router ACLs Web proxy filter Content-aware firewall DNS RPZ

6 Core DNS Principles.root Master/ Primary DNS Who is in charge of bdnog.org AXFR TSIG IXFR TSIG Slave/ Secondary DNS Caching Resolver DNS What is the IP for is AXFR - Full Zone Transfers IXFR - Incremental Zone Transfers TSIG - Transaction SIGnature used to secure the AXFR/IXFR

7 Security Company Master DNS RPZ DNS RPZ Who is in charge of bdnog.org?.root.org bdnog.org AXFR IXFR RPZ capability on the DNS Cashing Resolver allows zone transfers to be pushed out in seconds. RPZ Caching Resolver DNS What is the IP for is

8 DNS RPZ in Action Security Company Master DNS RPZ To find the bad guys badguys.com AXFR IXFR RPZ Caching Resolver DNS What is the IP for badguys.com? What is the IP for badguys.com? SPAM Computer looks up Xyzbadness. com

9 How is DNSRPZ Different? Security Company Master DNS RPZ Update zone files DNS RBL AXFR IXFR RPZ Caching Resolver DNS Some RBL User Query Every time

10 How is DNSRPZ Different? RPZ feed 1 RPZ feed 2 OPSEC Incident AXFR IXFR RPZ Caching Resolver DNS DNSRPZ allows for multiple providers building a richer list of bad domains Allows for industry incident feeds. Allows for local incident management feeds. INFOSEC or Security Team

11 Identify Infected Machines: By analyzing the query logs, you can track down the machines in your network that are attempting to contact these abuse sites, and clean up any infections or botnet code. What DNS Firewall Can block Using RPZ Phishing : When a user clicks on a link in an , for example from a fake banking site, you can intercept the lookup of that site. : When a user attempts to navigate to a domain name known to host malware, you can redirect them to a site of your own with instructions on scanning their computer. Ransomware: Ransomware, is a type of malware in which someone takes over assets on your network and blocks access to them until you pay a ransom. This is a rapidly growing threat. Botnet Command and Control sites :When devices inside your network attempt to contact suspected botnet command central, drop the queries, and log them for analysis and followup.

12 Components of the Criminal Cloud SPAM BOTNET Drive-By Secondary Controller Proxy Payment Processors Name Servers Avalanche: SPAM Cloud that you can lease time Zeus: Build your Own Criminal Cloud. BlackHole: Metasploit Cloud you can lease Mule Operations BOT Herder Victim of Crime Packer TLD Domain

13 Stage Domain Name SPAM BOTNET Drive-By Secondary Controller Proxy Name Servers Stage on NS Stage Domain Get Domain BOT Herder Victim of Crime Packer TLD Domain

14 Prepare Drive-By SPAM Drive-By Secondary BOTNET Controller Proxy Send Name Servers Load Hacker Victim of Crime TLD Domain Packer

15 Social Engineered SPAM to Get People to Click (Spear Phishing) SPAM BOTNET Drive-By Secondary Controller Proxy Send SPAM Name Servers Click on me now Hacker Victim of Crime TLD Domain Packer

16 Drive-By Violation Click on me now SPAM BOTNET Drive-By Secondary Controller Proxy Name Servers Hacker Victim of Crime TLD Domain Packer

17 Drive-By Violation SPAM BOTNET Drive-By Secondary Controller Proxy Name Servers Owned! Hacker Victim of Crime TLD Domain Packer

18 Poison Anti-Virus Updates SPAM Drive-By Secondary BOTNET Controller Proxy Name Servers Anti-Virus Vendor Poison the anti-virus updates All updates to Hacker Victim of Crime TLD Domain Packer

19 Prepare Violated Computer SPAM Drive-By Secondary BOTNET Controller Proxy Name Servers Anti-Virus Vendor Call to secondary site Load secondary package Hacker Victim of Crime TLD Domain Packer

20 Call Home SPAM Drive-By Secondary BOTNET Controller Proxy Name Servers Victim of Crime Call to Controller Report: Operating System Anti-Virus Location on the Net Software Patch Level Bandwidth Capacity of the computer Hacker TLD Domain Packer

21 Load Custom SPAM BOTNET Drive-By Secondary Controller Proxy Name Servers Go get New Module Hacker Victim of Crime TLD Domain Packer

22 Start Worming, Scanning, & Spreading SPAM BOTNET Drive-By Secondary Controller Proxy Name Servers IPv6 BOTNET Herder Victims of Crime IPv6 Packer TLD Domain

23 The Domain names were Black Listed! We know the SPAM addresses SPAM BOTNET Drive-By Secondary Controller Proxy We can see this guy s DNS Activity! Name Servers We knew the NS used for the criminal activity! We knew the infrastructure addresses! Victim of Crime We knew the controller addresses! We knew the back end systems! We needed to stop this computer from doing all the DNS lookups to bad domains! Packer BOT Herder TLD Domain

24 DNS RPZ would have stopped this attack! SPAM Drive-By Secondary BOTNET Controller Proxy Send SPAM Name Servers Blacklisted with DNSRPZ Hacker Victim of Crime NOC Alert! TLD Domain Packer

25 Possible Uses Examples Enterprise networks can us it to stop infections and let NOC know something is wrong. Hosting Provider can use it to block infected customer host and let NOC know something is wrong. Service Providers can use it to protect customers AND notify customer AND let the help desk know customers might be infected.

26 RPZ supported DNS Applications RPZ is native in several of the industry s leading DNS platforms, including: BIND V9.9 (or greater) Power DNS Numerous appliance vendors have enabled RPZ as well, including: Infoblox Efficient IP BlueCat

27 RPZ Rule Let s say we want to rewrite any DNS queries for a specific hostname, but allow lookups to the domain and other hosts in that domain: host.filter.com IN CNAME. This result in an NXDOMAIN (Non existence) response for a query for host.filter.com

28 Response Policy Triggers The rules in a Response Policy Zone consist of triggers or filters that identify what responses to modify, and policy actions to apply to these responses. Each rule can use one of five policy triggers and specify one of eight policy actions. by the query name. [QNAME] by an address which would be present in a truthful response. [RPZ-IP] by the name or address of an authoritative name server responsible for publishing the original response. [RPZ- NSDNAME and RPZ-NSIP] by the IP address of the DNS client [RPZ-CLIENT-IP]

29 Response Policy Actions to synthesize a domain does not exist response. [NXDOMAIN] to synthesize a name exists but there are no records of the requested type response. [NODATA] to redirect the user via a CNAME to a walled garden [CNAME example.org to replace the response with specified data. [Local Data] to require the client to re-submit the query via TCP [CNAME rpz-tcponly] to exempt the response from further policy processing. [DISABLED, CNAME rpz-passthru] to drop the query, without any response to the client [CNAME rpzdrop]

30 RPZ Logging Since we re running RPZ, we definitely want to log any RPZ rewrites. To do that, we need to set up two things under the logging header. channel rpzlog { file "rpz.log" versions unlimited size 1000m; print-time yes; print-category yes; print-severity yes; severity info; }; category rpz { rpzlog; };

31 CONFIGURE A SLAVE RPZ ZONE zone "drop.rpz.spamhaus.org" { type slave; file "dbx.drop.rpz.spamhaus.org"; masters { X.X.X.X; X.X.X.X; }; allow-transfer { none; }; allow-query { localhost; }; };

32 Configuring Response Policy Zones Bind currently has a 32 zone limit. RPZ zones are specified in the response-policy section: response-policy { zone "rpz-local"; zone "tor-exit-nodes.local"; zone "bogon.rpz.spamhaus.org"; zone "botnetcc.rpz.spamhaus.org"; zone "malware.rpz.spamhaus.org"; zone "malware-adware.rpz.spamhaus.org"; zone "malware-aggressive.rpz.spamhaus.org"; zone "bad-nameservers.rpz.spamhaus.org"; zone "drop.rpz.spamhaus.org"; };

33 Before Implementation At first implement on logging mode for at least for a week Use TSIG to transfer the RPZ zone Restricted RPZ recursive server to use from all Restricted users from using other name servers

34 RPZ Feed Providers Spamhaus/Deteque/SecurityZone Farsight security SURBL SWITCH Threat Stop

35 Implementation Case Study in an ISP in BD Using RPZ feed from SecurityZone with Bind ( RPZ_Installation_Guide.pdf ) Redirected all DNS recursive request to RPZ name server Provided service for 390 devices using recursive DNS Name server hits in a month. Domain blocked Number of infected device detected 32 Simple and easy approach to implement

36