The DNS Firewall Architecture

Slides:

Advertisements

Similar presentations

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

Advertisements

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

Introduction to MySQL Administration.  Server startup and shutdown ◦ How to manually start and stop it from the command line ◦ How to arrange an automated.

Chapter 7 HARDENING SERVERS.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Circuit & Application Level Gateways CS-431 Dick Steflik.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Domain Name Services Oakton Community College CIS 238.

Norman SecureSurf Protect your users when surfing the Internet.

1 SMTP Transport Configuration SMTP Configurations and Virtual Servers Customizing the SMTP Service.

DHCP Server © N. Ganesan, Ph.D.. Reference DHCP Server Issues or leases dynamic IP addresses to clients in a network The lease can be subject to various.

ENOG-7 27 May 2014 Moscow Marriott Grand Hotel, Moscow, Russia IPv6 Golden Networks Jeroen Massar, Farsight Security, Inc. A watchful eye.

Advanced Module 3 Stealth Configurations.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Windows Server 2008 R2 Domain Name System Chapter 5.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.

Cybersecurity Coordination and Cooperation Colloquium (f41lf3st 2015) 17 June 2015 Tallinna Tehnickaülikool, Tallinn, Estonia IPv6 Golden Networks Jeroen.

Introduction to Barracuda IM Firewall. Two Security Products in One Public IM Management –Manages traffic from public IM clients, including AIM, Yahoo!

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

2.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 2: Examining.

CIS 192B – Lesson 2 Domain Name System. CIS 192B – Lesson 2 Types of Services Infrastructure –DHCP, DNS, NIS, AD, TIME Intranet –SSH, NFS, SAMBA Internet.

Sample DNS configurations. Example 1: Master 'master' DNS and is authoritative for this zone for example.com provides 'caching' services for all other.

Open DNS resolvers have to be closed ● Open resolvers respond to recursive queries from any host on the Internet ● Amplification DNS attack 2.

Swiss NREN protection with DNS RPZ

Configuring and Managing the DHCP Server Role. DHCP overview RARP – one of the first ways to assign addresses BOOTP – Another legacy way to assign addresses.

DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c

Security Benefits of Firewall Protection

Cosc 5/4765 NAC Network Access Control. What is NAC? The core concept: –Who you are should govern what you’re allowed to do on the network. Authentication.

Introduction to Barracuda IM Firewall

UDP Socket Programming

Security Issues with Domain Name Systems

CompTIA Security+ Study Guide (SY0-401)

Configuring DHCP Relay Configuration Example

Module 3: Enabling Access to Internet Resources

RPZ, 20 Critical Controls, Linux Server Audit, Printer Security Audit

Enabling Secure Internet Access with TMG

Module 8: Networking Services

Network Security Analysis Name : Waleed Al-Rumaih ID :

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 6: Planning, Configuring, And Troubleshooting WINS.

Benefits of Using Domain Name System (DNS)

Securing the Network Perimeter with ISA 2004

Exam Name: CCIE Security Written

Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009

Introduction to Networking

3300 ICP Network Topology/ DHCP Configuration Jill Krzyzanowski Technical Trainer Release 8.0.

Introduction to DNSWatch

Subject Name: Computer Communication Networks Subject Code: 10EC71

Lesson #10 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 10 Configuring Network and Firewall Settings.

CompTIA Security+ Study Guide (SY0-401)

What’s New in Fireware v12.1.1

Net 431 D: ADVANCED COMPUTER NETWORKS

Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.

DHCP, DNS, Client Connection, Assignment 1 1.3

Information Security Session October 24, 2005

Proactive Network Protection Through DNS

Server-to-Client Remote Access and DirectAccess

AKAMAI INTELLIGENT PLATFORM™

What’s changed in the Shibboleth 1.2 Origin

Shifting from “Incident” to “Continuous” Response

Data Security in Local Networks using Distributed Firewalls

Allocating IP Addressing by Using Dynamic Host Configuration Protocol

AbbottLink™ - IP Address Overview

Introduction to Network Security

Firewall Installation

(DNS – Domain Name System)

Securing Your DNS Infrastructure in 5 Minutes

Presentation transcript:

The DNS Firewall Architecture At Virginia Tech

No Really… What is a DNS Firewall? Also known as Response Policy Zone (RPZ). A mechanism in the DNS which allows recursive resolvers to customize responses (tell lies) for certain zones. First released in 2010 in BIND by Paul Vixie/ISC. It is an open and vendor-neutral standard. Goal is to protect clients from malicious domains. VT has been experimenting with RPZ since 2012.

Timetable No off-campus 2/25/19 – ISB, RB14 DHCP hosts (COMPLETE) 3/4/19 – Resnet (static, wireless) DHCP hosts 3/7/19 – ITSO/NI&S deployment assessment 3/11-31/19 – final rollout for rest of campus DHCP Optional – users can configure their static hosts manually anytime

The Client View - Configuration VT Clients use the VT RPZ blocking enabled recursive resolvers. nyet.iso.vt.edu – 198.82.247.39 nein.iso.vt.edu - 198.82.247.111 nope.iso.vt.edu – 198.82.247.69 Currently only available from vt.edu address space. All VT DNS Recursive Resolvers transfer and log the RPZ. milo.cns.vt.edu - 198.82.247.98 jeru.cns.vt.edu - 198.82.247.66 yardbird.cns.vt.edu – 198.82.247.34 Only nyet, nein and nope tell lies.

Are Malware Callbacks a Problem?

Client View Redirect

Working with campus partners NI&S maintains the DNS servers and process. ITSO maintains security feeds and master RPZ DNS server. Other campus depts (with own DNS) may: Forward queries to nyet, nein and nope. Transfer the BL zone from the ITSO.

The RPZ Database Goals If Seven Days Have Passed Since Last Report Age out domains Protect Popular domains If Seven Days Have Passed Since Last Report Remove from DB Unless SOC Analyst Added the domain Serverless SQLite DB Engine Simple, Compact and Fast

The Feed Sources Automated Manual/API Malware Domains REN-ISAC SES Ransomware Tracker Zeus Tracker Maybe NOD soon (working on this) Manual/API FireEye Appliances Bro We’d like to learn about other high-quality sources. What do others do?

Lessons Learned It’s worth the effort and cost Has prevented compromises Popular with campus community Spend more time upfront thinking How do we collect/visualize stats? How do we measure effectiveness? How do we mine the redirect data to find other issues? How do we integrate with other netsec assets? Be prepared to deal with detractors The intent is NOT to spy on DNS queries It’s just another layer

Conclusion Open Forum/questions