04:52 PM
Connect Directly

Using DNS As Malware-, Botnet-Fighting Tool

New feature in OpenDNS service blocks bad IPs, stops bots from 'phoning home'

The bad guys freely abuse the Domain Name Service, and now the good guys are increasingly using it to protect themselves: OpenDNS today began offering a new feature in its enterprise DNS service that filters out malware and stops infected hosts from communicating with their command-and-control servers.

The OpenDNS Enterprise malware protection service follows a line of similar tools and cloud-based services that tap the DNS to help ferret out known bad IP addresses. Among these are the Internet Systems Consortium's (ISC) DNS Response Policy Zone, which comes in the DNS Bind 9.8.0 server platform. There also are pure cloud-based IP reputation services, such as Unveillance and ipTrust.

Paul Vixie, principal author of the pervasive BIND DNS server software and creator of several DNS standards, says security is catching up with bad guys, who have used the DNS infrastructure to spread their malware and grow their botnets.

"It's the low-hanging fruit. We haven't used it as much as the bad guys have. We have to catch up with them," says Vixie, the founder, chairman, and chief scientist at Internet Systems Consortium, the nonprofit that produces the popular BIND software for most of the world's DNS servers.

"As long as malware continues to depend on DNS, we'll be able to curtail it with tools like ISC DNS RPZ and OpenDNS Enterprise Malware Protection," ISC's Vixie says. "While I do worry about the next step in this dance where the malware stops depending so much on DNS, I do think OpenDNS is right to capitalize on malware's immediate DNS needs.

"Enterprises who continue to run their own recursive DNS servers in-house are getting similar results using DNS reputation feeds from places like SURBL and Spamhaus using the Response Policy Zone [RPZ] feature new in BIND9 as of 9.8.0."

OpenDNS added the free upgrade to its OpenDNS Enterprise recursive DNS service, blocking known malware-hosting websites and C&C servers from communicating with machines in the enterprise, using blacklists of malicious domain names and malicious or compromised IP addresses.

"We partnered with a number of well-respected security partners who do a lot of malware analysis and [have] IP reputation data and incorporated their feeds into our platform," says David Ulevitch, CEO of OpenDNS, who would not name the vendors. He says the closest offering to OpenDNS' new one is Comcast's IP reputation service, powered by Damballa, which notifies users of bot-infected machines.

He says the service is unlike traditional anti-malware services that focus on stopping malware, but don't do much to mitigate the damage it incurs when it gets through and infects a machine. The new service could work side-by-side with DNSSEC as well, he says.

Renowned researcher and DNSSEC expert Dan Kaminsky concurs. "Botnets are a pernicious problem, one that's getting worse every day. I see no conflict with DNSSEC, despite the use of filtering, for two reasons: First, it's not like users are clamoring to phone home to botnet command-and-control systems. So there's no actions we can expect that will cause further problems. Second, and more ominously, a botnet-infected host is under such control of an attacker that DNSSEC is too late; any security offered to the user can only be a best effort as there is attacker code always at the ready to interfere," he says. "I'm happy to see OpenDNS make that effort."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.