Presentation is loading. Please wait.

Presentation is loading. Please wait.

The DNS Firewall Architecture

Published byHerbert Harmon Modified over 5 years ago

Similar presentations

Presentation on theme: "The DNS Firewall Architecture"— Presentation transcript:

1 The DNS Firewall Architecture
At Virginia Tech

2 No Really… What is a DNS Firewall?
Also known as Response Policy Zone (RPZ). A mechanism in the DNS which allows recursive resolvers to customize responses (tell lies) for certain zones. First released in 2010 in BIND by Paul Vixie/ISC. It is an open and vendor-neutral standard. Goal is to protect clients from malicious domains. VT has been experimenting with RPZ since 2012.

3 Timetable No off-campus 2/25/19 – ISB, RB14 DHCP hosts (COMPLETE)
3/4/19 – Resnet (static, wireless) DHCP hosts 3/7/19 – ITSO/NI&S deployment assessment 3/11-31/19 – final rollout for rest of campus DHCP Optional – users can configure their static hosts manually anytime

4 The Client View - Configuration
VT Clients use the VT RPZ blocking enabled recursive resolvers. nyet.iso.vt.edu – nein.iso.vt.edu nope.iso.vt.edu – Currently only available from vt.edu address space. All VT DNS Recursive Resolvers transfer and log the RPZ. milo.cns.vt.edu jeru.cns.vt.edu yardbird.cns.vt.edu – Only nyet, nein and nope tell lies.

5 Are Malware Callbacks a Problem?

6 Client View Redirect

7 Working with campus partners
NI&S maintains the DNS servers and process. ITSO maintains security feeds and master RPZ DNS server. Other campus depts (with own DNS) may: Forward queries to nyet, nein and nope. Transfer the BL zone from the ITSO.

8 The RPZ Database Goals If Seven Days Have Passed Since Last Report
Age out domains Protect Popular domains If Seven Days Have Passed Since Last Report Remove from DB Unless SOC Analyst Added the domain Serverless SQLite DB Engine Simple, Compact and Fast

9 The Feed Sources Automated Manual/API
Malware Domains REN-ISAC SES Ransomware Tracker Zeus Tracker Maybe NOD soon (working on this) Manual/API FireEye Appliances Bro We’d like to learn about other high-quality sources. What do others do?

10 Lessons Learned It’s worth the effort and cost
Has prevented compromises Popular with campus community Spend more time upfront thinking How do we collect/visualize stats? How do we measure effectiveness? How do we mine the redirect data to find other issues? How do we integrate with other netsec assets? Be prepared to deal with detractors The intent is NOT to spy on DNS queries It’s just another layer

11 Conclusion Open Forum/questions

Download ppt "The DNS Firewall Architecture"

Similar presentations

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Introduction to MySQL Administration.  Server startup and shutdown ◦ How to manually start and stop it from the command line ◦ How to arrange an automated.

Introduction to MySQL Administration.  Server startup and shutdown ◦ How to manually start and stop it from the command line ◦ How to arrange an automated.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Circuit & Application Level Gateways CS-431 Dick Steflik.

Circuit & Application Level Gateways CS-431 Dick Steflik.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.
Domain Name Services Oakton Community College CIS 238.

Domain Name Services Oakton Community College CIS 238.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
1 SMTP Transport Configuration SMTP Configurations and Virtual Servers Customizing the SMTP Service.

1 SMTP Transport Configuration SMTP Configurations and Virtual Servers Customizing the SMTP Service.
DHCP Server © N. Ganesan, Ph.D.. Reference DHCP Server Issues or leases dynamic IP addresses to clients in a network The lease can be subject to various.

DHCP Server © N. Ganesan, Ph.D.. Reference DHCP Server Issues or leases dynamic IP addresses to clients in a network The lease can be subject to various.
ENOG-7 27 May 2014 Moscow Marriott Grand Hotel, Moscow, Russia IPv6 Golden Networks Jeroen Massar, Farsight Security, Inc. A watchful eye.

ENOG-7 27 May 2014 Moscow Marriott Grand Hotel, Moscow, Russia IPv6 Golden Networks Jeroen Massar, Farsight Security, Inc. A watchful eye.
Advanced Module 3 Stealth Configurations.

Advanced Module 3 Stealth Configurations.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Windows Server 2008 R2 Domain Name System Chapter 5.

Windows Server 2008 R2 Domain Name System Chapter 5.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.
Cybersecurity Coordination and Cooperation Colloquium (f41lf3st 2015) 17 June 2015 Tallinna Tehnickaülikool, Tallinn, Estonia IPv6 Golden Networks Jeroen.

Cybersecurity Coordination and Cooperation Colloquium (f41lf3st 2015) 17 June 2015 Tallinna Tehnickaülikool, Tallinn, Estonia IPv6 Golden Networks Jeroen.
Introduction to Barracuda IM Firewall. Two Security Products in One Public IM Management –Manages traffic from public IM clients, including AIM, Yahoo!

Introduction to Barracuda IM Firewall. Two Security Products in One Public IM Management –Manages traffic from public IM clients, including AIM, Yahoo!

Similar presentations

Ads by Google