Monday, 8 February 2016

The Potential of Passive DNS in Protecting Network Infrastructure

By: Cricket Liu, Chief DNS Architect, Infoblox

The number of attacks against Domain Name System (DNS) infrastructure has grown exponentially in recent years, having increased by 200 percent since 2012. Exploiting this vulnerable infrastructure is a popular, and often very successful, tactic for causing disruption to organisations.

The popularity of DNS as a target is unsurprising considering its high value to business operations: companies are unable to conduct business online without DNS functioning properly. And with traditional protection, like firewalls, leaving port 53 open, networks are constantly being exploited via DNS for a variety of criminal purposes.

Examples of attacks include DDoS (distributed denial of service) attacks against authoritative name servers, the use of name servers as amplifiers in DDoS attacks, cache poisoning attacks, the use of compromised registrar accounts to modify delegation information, and abuse of name servers by malware.

Fortunately, given the plethora of potential attack vectors, new and powerful mechanisms are being developed to help organisations combat these threats. These include the DNS Security Extensions, Response Rate Limiting and Response Policy Zones.

But what looks to be one of the most promising methods for enhancing DNS security - and, as a result, the security of the Internet more generally - remains to be fully exploited. This is Passive DNS data.

Appropriating Passive DNS data

Invented in 2004 by security researcher Florian Weimer, Passive DNS was developed as a method for combatting malware. Logging the responses received from other name servers, the recursive name servers then would replicate said logged data to a central database.

To get an idea of what this logged data would look like, recall how recursive name servers work. When queried, these servers examine both their authoritative data and cache for an answer. If this information is not present, the servers by default will begin by querying one of the root name servers, continuously following referrals until they are able to identify those authoritative name servers that know the answer and then retrieve it from one of these servers.

Passive DNS data consists of all the information collected throughout this process. This largely consists of the referrals and answers from the contacted authoritative name servers on the Internet, and of course any errors. All this data is time stamped, deduped, compressed, and replicated to a central database where it is archived and analysed.

It is worth specifying at this point that the captured data is server-to-server communication and not queries from stub resolvers to the recursive name server. This is an important aspect of Passive DNS, as it means that there is significantly less server-to-server talk than there is between a stub revolver and a recursive name server. It also represents less of a privacy concern, as the server-to-server communication cannot easily be associated with a specific stub revolver.

The Passive DNS data can be collected in various ways. Some recursive servers, such as Knot and Unbound, actually have software hooks that make Passive DNS data capture especially easy. Using a free programme called dnstap (, administrators are able to read the Passive DNS data from the name server.

For those running other name servers, there are different tools they can use on the host running the recursive name server to monitor traffic to that name server, or to mirror the port of the name server to another host which in turn records the data.

Uploading the data

There are a number of organisations that run the databases which Passive DNS data “sensors” can upload data to. One of the most well known and popular of these is Farsight Security’s Passive DNS database, otherwise known as DNSDB. This database contains the data collected from sensors all over the world for more than several years. Passive DNS databases are also run by organisations including VirusTotal, which is now owned by Google; BFK, the German consultancy firm; RiskIQ’s PassiveTotal; Estonia’s Computer Emergency Response Team, CERT-EE; and the Computer Incident Response Center Luxembourg (CIRCL).

Querying these Passive DNS databases allows network administrators to determine which queries returned a specific IP address in any given month, discover which name servers a particular zone used at some point in the past, and even what other zones use that same set of name servers.

Perhaps more significantly, however, is the ability to take an IP address that you know to be malicious and identify all the other domain names that the Passive DNS sensors map to that specific IP address.

Putting the data to use

While this information has numerous benefits for network administrators in gaining a greater understanding of an organisation’s DNS and drilling down into the background of specific IP addresses, Passive DNS data can also be exploited to protect against data exfiltration and compromise by malicious domains.

One example is enabling an organisation to detect cache poisoning and fraudulent changes to delegation in near real time. By periodically querying a Passive DNS database, an organisation would use information garnered by Passive DNS sensors to find what addresses its critical domain names currently map to. An organisation would then be able to distinguish any variation from the mappings in authoritative zone data, which is a common indication of compromise.

Another means by which Passive DNS databases can help prevent malicious domains infiltrating an organisation’s network through DNS queries is by blocking new domain names. A high correlation has been identified between brand new domain names and malicious activity. This is because these domains are frequently used only briefly in phishing campaigns or other similar attacks, before being discarded. As such, Farsight Security periodically scrapes the newest domain names from DNSDB, for instance those which were first identified by DNS sensors in the preceding 15 minutes, hour, or other interval. This can provide organisations with a feed of these new, potentially malicious domain names, enabling network administrators to block their resolution. The cost of temporarily blocking the few newly-created legitimate domain names that happen to have appeared in the last 15 minutes is a small price to pay for safer networks.

Monitoring domain names which change their addresses is another technique which helps detect malware and phishing sites. Legitimate domain names change their address very infrequently, aside from those used for load balancing and distribution. By keeping track of any changes to address (A and AAAA) records and name server (NS) records, it is possible to identify which domains are using techniques like fast flux to help malicious servers evade detection.

And once a name server or IP address is marked as malicious, it is very simple for a Passive DNS database to identify other potentially malicious domain names that have mapped to that IP address.

Finally, if an organisation deploys a Passive DNS database which supports Soundex or fuzzy matching, it would be able to query that database periodically for domain names that use or sound like its trade names. This will help them identify potential infringement.

Using Response Policy Zones to close the loop

Response Policy Zones, or RPZs, are DNS zones whose contents are interpreted as policy rules. These rules typically say things along the lines of “For anyone trying to look up A records for this domain name, return an error saying that this domain name doesn’t exist.” RPZs are an invaluable mechanism in closing the loop when malicious domain names are identified in Passive DNS data.

As RPZs are just zones, they can be quickly and efficiently transferred around the Internet, and the policies that they contain can be rapidly enforced. Organisations can analyse Passive DNS data to identify malicious domain names, and then construct rules blocking the resolution of these names and distribute those rules to subscribers around the Internet.

First steps

If you are interested in contributing Passive DNS data from your recursive name servers, Farsight provides information on how to participate and includes a step-by-step guide for setting up a Passive DNS sensor. It is also possible to add RPZ feeds - based on the analysis of Passive DNS data - to aid in blocking the resolution of malicious domain names in your organisation.

We’re still working to understand the full potential of Passive DNS data, but the insight that it provides and the value that this intelligence offers to network administrators demonstrates that it will play a key role in securing this important, yet vulnerable, part of network infrastructure in years to come.

# # #