Strengthen your network security with Passive DNS

Over the past few years, we’ve witnessed increasing attacks against DNS infrastructure: DDoS attacks against authoritative name servers, name servers used as amplifiers in DDoS attacks, compromised registrar accounts used to modify delegation information, cache poisoning attacks, and abuse of name servers by malware. Thankfully, we’ve also seen the concurrent development of powerful new mechanisms for combating those threats, including the DNS Security Extensions, response policy zones, and response rate limiting.

Perhaps the most promising means of enhancing DNS security, and the security of the Internet generally, has yet to be fully exploited. That’s Passive DNS data.

A primer on Passive DNS

Passive DNS was invented by Florian Weimer in 2004 to combat malware. Basically, recursive name servers would log the responses they received from other name servers and replicate that logged data to a central database.

What would that logged data look like? Well, recall how recursive name servers operate. When queried, they examine their cache and authoritative data for an answer, and if the answer isn’t present, they start by querying one of the root name servers and following referrals until they identify the authoritative name servers that know the answer, then query one of those authoritative name servers to retrieve the answer. It looks something like this:

Most Passive DNS data is captured immediately “above” the recursive name server, as indicated here:

That means Passive DNS data consists largely of referrals and answers from authoritative name servers on the Internet (along with errors, of course). This data is time-stamped, deduped, and compressed, then replicated to a central database for archiving and analysis.

Note that what’s captured is server-to-server communication, not queries from your stub resolvers to the recursive name server. (Stub resolvers sit “below” the recursive name server in the diagram.) That’s important for two reasons. First, there’s significantly less server-to-server talk than between a stub resolver and a recursive name server, only cache misses. Second, the server-to-server communication can’t easily be associated with a particular stub resolver, and therefore represents much less of a privacy concern.

How the Passive DNS data is collected varies. Some recursive name servers, including Knot and Unbound, include software hooks that make it easy to capture Passive DNS data. Administrators can use a free program called dnstap to read the Passive DNS data from the name server.

Folks running other name servers may use different tools on the host running the recursive name server to monitor traffic to the name server, or they may mirror the name server’s port to another host that records the data.

The value of passive DNS

Various organizations run the databases to which Passive DNS “sensors” upload data. One of the most popular and best known is Farsight Security’s Passive DNS database, DNSDB. DNSDB contains data collected over several years by sensors all over the world. Other organizations running Passive DNS databases include the website VirusTotal, now owned by Google; the German consulting company BFK; the Computer Incident Response Center Luxembourg, CIRCL; and Estonia’s Computer Emergency Response Team, CERT-EE.

Queries of Passive DNS databases can yield a wealth of useful information. For example, you could query Passive DNS databases to determine what a DNS query for A records attached to www.infoblox.com returned in April 2012, or what name servers infoblox.com has used since then, or what other zones use that same set of name servers. Perhaps more significant, you could take an IP address you know is malicious and find all the domain names that Passive DNS sensors have recently mapped to that IP address.

Here are some of the many uses of Passive DNS:

• Passive DNS databases allow the near-real-time detection of cache poisoning and fraudulent changes to delegation. An organization could periodically query a Passive DNS database to find what addresses its critical domain names currently map to, according to Passive DNS sensors. Any variation from the mappings in authoritative zone data could be an indication of compromise.
• Farsight Security periodically scrapes the newest domain names from DNSDB. These are domain names that were first seen by sensors in the last 15 minutes, hour, or other interval. It turns out there’s a high correlation between brand-new domain names and malicious activity. New domains are often briefly used in phishing campaigns or the like, then simply discarded. And the cost of temporarily blocking the few legitimate domain names that happen to have appeared in the last 15 minutes is small. Farsight can provide organizations with a feed of these newest domain names, enabling administrators to block their resolution.
• If the Passive DNS database supports fuzzy or Soundex matching, an organization could periodically query that database for domain names that use or sound like its trade names and identify potential infringement.
• Once an IP address or name server is marked as malicious, it’s easy to use a Passive DNS database to identify other domain names that map to that IP address, or other zones hosted by that name server, and may also be malicious.
• By monitoring changes to A and AAAA records and zone NS records over time, it’s easy to identify domain names using techniques such as fast flux to help phishing and malware sites evade detection. Legitimate domain names (except for those used for load balancing and distribution) won’t change their addresses very frequently, and most legitimate zones rarely change their name servers.

Closing the loop with Response Policy Zones

Response policy zones (RPZs) provide an invaluable mechanism for closing the loop when malicious domain names are identified in Passive DNS data. RPZs are DNS zones whose contents are interpreted as rules. Those rules typically say things such as, “If anyone tries to look up A records for this domain name, return an error saying that domain name doesn’t exist.” Because RPZs are simply zones, they can be transferred around the Internet quickly and efficiently, and the policies they contain promptly enforced. Organizations that analyze Passive DNS data to identify malicious domain names can construct rules blocking resolution of those names and distribute them to subscribers around the Internet.

If you’re interested in contributing Passive DNS data from your recursive name servers, Farsight provides information on how to participate, including a step-by-step guide to setting up a Passive DNS sensor. You can also add RPZ feeds based on the analysis of Passive DNS data to help block the resolution of malicious domain names within your organization.

Cricket Liu is Infoblox's Chief DNS Architect and a Senior Fellow. He works with Infoblox customers to ensure their DNS implementations are robust and secure. He is a co-author of "DNS and BIND," one of the best-known books on the DNS.

New Tech Forum provides a venue to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to newtechforum@infoworld.com.