04:52 PM
Connect Directly
Repost This

Using DNS As Malware-, Botnet-Fighting Tool

New feature in OpenDNS service blocks bad IPs, stops bots from 'phoning home'

The bad guys freely abuse the Domain Name Service, and now the good guys are increasingly using it to protect themselves: OpenDNS today began offering a new feature in its enterprise DNS service that filters out malware and stops infected hosts from communicating with their command-and-control servers.

The OpenDNS Enterprise malware protection service follows a line of similar tools and cloud-based services that tap the DNS to help ferret out known bad IP addresses. Among these are the Internet Systems Consortium's (ISC) DNS Response Policy Zone, which comes in the DNS Bind 9.8.0 server platform. There also are pure cloud-based IP reputation services, such as Unveillance and ipTrust.

Paul Vixie, principal author of the pervasive BIND DNS server software and creator of several DNS standards, says security is catching up with bad guys, who have used the DNS infrastructure to spread their malware and grow their botnets.

"It's the low-hanging fruit. We haven't used it as much as the bad guys have. We have to catch up with them," says Vixie, the founder, chairman, and chief scientist at Internet Systems Consortium, the nonprofit that produces the popular BIND software for most of the world's DNS servers.

"As long as malware continues to depend on DNS, we'll be able to curtail it with tools like ISC DNS RPZ and OpenDNS Enterprise Malware Protection," ISC's Vixie says. "While I do worry about the next step in this dance where the malware stops depending so much on DNS, I do think OpenDNS is right to capitalize on malware's immediate DNS needs.

"Enterprises who continue to run their own recursive DNS servers in-house are getting similar results using DNS reputation feeds from places like SURBL and Spamhaus using the Response Policy Zone [RPZ] feature new in BIND9 as of 9.8.0."

OpenDNS added the free upgrade to its OpenDNS Enterprise recursive DNS service, blocking known malware-hosting websites and C&C servers from communicating with machines in the enterprise, using blacklists of malicious domain names and malicious or compromised IP addresses.

"We partnered with a number of well-respected security partners who do a lot of malware analysis and [have] IP reputation data and incorporated their feeds into our platform," says David Ulevitch, CEO of OpenDNS, who would not name the vendors. He says the closest offering to OpenDNS' new one is Comcast's IP reputation service, powered by Damballa, which notifies users of bot-infected machines.

He says the service is unlike traditional anti-malware services that focus on stopping malware, but don't do much to mitigate the damage it incurs when it gets through and infects a machine. The new service could work side-by-side with DNSSEC as well, he says.

Renowned researcher and DNSSEC expert Dan Kaminsky concurs. "Botnets are a pernicious problem, one that's getting worse every day. I see no conflict with DNSSEC, despite the use of filtering, for two reasons: First, it's not like users are clamoring to phone home to botnet command-and-control systems. So there's no actions we can expect that will cause further problems. Second, and more ominously, a botnet-infected host is under such control of an attacker that DNSSEC is too late; any security offered to the user can only be a best effort as there is attacker code always at the ready to interfere," he says. "I'm happy to see OpenDNS make that effort."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web