[dns-operations] A DNS and network security forced marriage

John Kristoff jtk at cymru.com
Mon Mar 15 23:38:14 UTC 2010


On Fri, 12 Mar 2010 11:04:32 -0600
Stephen L Johnson <stephen.johnson at arkansas.gov> wrote:

> My gut is also telling me that this is a bad idea from an operations
> point of view. But I'm not able to articulate why it would be a bad
> idea. This is getting way outside my area of expertise with DNS. So
> I'm putting the question to the DNS experts. Is this a good idea, or
> not?

I've done this a bit and have given some sample code and configs to
other operators in presentations on how to do this in the past.  I've
noticed in the past few months this has actually becoming more
widespread.  So others are doing it with varying degrees of success.

Some things to consider...

Be sure the source of data is very clean and trustworthy.  There are a
variety of free/public "bad" name lists out there with varying degrees
of quality and reliability.  False positives may cause some real grief
for your users and ultimately.  Make sure for example you're not taking
down entire domains that are legit, just because there is a URL file
path causing problems.  In other words, make sure the entire domain is
entirely "bad".

Consider carefully how you will answer the query.  Do you answer with
an actual IP address?  If command goes out to source spoofed TCP attack
to a name that you've sunk to 127.0.0.1, what happens?  Each of your
infected bot hosts sends the attack packets to itself, with the spoofed
address.  If there is no listener on that port, it may send back blasts
of RSTs to the spoofed address.  Probably not helpful.  You could sink
to a real address you can do something with or blackhole or you may
simply give back an NXDOMAIN.  You might choose instead to see what the
name was intended to resolve to and maintain an IP based mitigation
system rather than a DNS-based one.  Do you allow users outside of you
network to see if you're sinking these names?

You might also want to set the TTL relatively low.  This might help to
recover from a false positive or simply help you keep track of bots on
your network.

Log the queries for these hijacked zones.  You want to know who is
querying for them and do something about them.  If your security team
is serious, they don't want to just filter and forget.  They'll want to
follow up and help fix the hosts/users.

If you must proceed.  Test it for awhile with a select subset of
hosts through the use of views or equivalent mechanism.

John



More information about the dns-operations mailing list