[dns-operations] A DNS and network security forced marriage

Robin Stevens robin.stevens at oucs.ox.ac.uk
Tue Mar 16 19:56:19 UTC 2010

On Fri, Mar 12, 2010 at 11:04:32AM -0600, Stephen L Johnson wrote:

> After many years things are happening which will finally allow me to
> split out server into authoritative only servers and name caching
> servers (i.e. resolvers only). An utterly brilliant (or hare brained)
> idea has emerge from out network security group to fight botnets on our
> network. The idea is to use the caching name servers to lobotomize the
> botnet. At least those bots on our network.

This is something of which I've had experience from both the hostmaster
and security side.  Again it was something that happened soon after we
divorced authoritative server and resolver functions.

The approach we've taken is that there's a database of domains to be
redirected by our nameservers, from which the relevant configuration
file can be generated.  The security team can add or remove domains from
the database via a web interface, allowing one of the following to be
done for each domain:

 * redirect to localhost
 * redirect to a webserver that returns a 403 error page to any http
   request, with a contact address in case of problems
 * redirect to a specific "darknet" IP address - a purely passive
   network which receives packets but never sends anything, originally
   used for detecting network scans.  Different malware can be directed
   to different addresses.

To allow us to catch subdomains of affected domains, each fake zone
contains a wildcard DNS entry, something that we'd never put in our
"real" DNS zones.  

Conficker presented an interesting challenge.  The A and B variants used
250 different randomly-generated domains per day (with some false
positives), a big increase over what had previously been handled.  When
Conficker C appeared on the scene with 50,000 domains used each day,
it was clear an alternate approach was required.  Fortunately we were
able to find one that gave us near-real-time monitoring for infections.
As a backup we also do periodic checking of DNS resolver logs against
lists of current Conficker domains (hint: use 'grep -Ff'), although
sometimes this picks up forwarding resolvers as opposed to individual
infected hosts.

So - such DNS tricks are not the answer to all problems by any means,
but it's another mechanism for detecting and mitigating infections in
our environment.  We're aware we won't see everything - for instance
people who choose not to use the central DNS resolvers (or malware that
overrides client DNS settings).  Some day, the tactic will become less
effective as clients start using DNSSEC validation, but I suspect we've
got a way to go yet before that's a problem for many of the infected
systems we're after.

Robin Stevens <robin.stevens at oucs.ox.ac.uk>            Work +44 1865 273212
Networks & Telecommunications Group                     Fax +44 1865 273275
Oxford University Computing Services               http://www.cynic.org.uk/

More information about the dns-operations mailing list