Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

09:56 AM
Connect Directly

DNS Gets Anti-Phishing Hook

The new, free OpenDNS service uses DNS to fight phishing and botnets

If you're fighting phishing and botnets in your enterprise, you've got a new ally: the Domain Name Service (DNS).

OpenDNS this week began offering a free service that's basically DNS on steroids, with added security features that prevent users from entering phishing sites or becoming unwitting drones in a botnet. It also boosts DNS performance through caching and a dedicated network, and provides additional features such as automatic correction of mistyped URLs.

OpenDNS is initially aimed at consumers -- technology-savvy ones who know what DNS stands for -- and is based on a big fat database of phishing and botnet sites OpenDNS gathered from various anti-phishing and anti-botnet organizations, as well as its own data. "We find out who the bad hosts on the Net are now and, using that, we block them at the DNS level," says David Ulevitch, CEO and founder of OpenDNS. Ulevitch and his team built OpenDNS around the EveryDNS public domain code he developed five years ago.

The company hopes to attract small offices and home business as it adds more features, and it's also interested in luring ISPs. Ulevitch says the company is putting the final touches on an interface that will open up its database of blacklisted DNS sites and servers to the public via a new site, phishtank.com, which will also host phishing stats gathered by OpenDNS.

The idea is to get security apps to use the database. "We’re going to open up the whole backend database so others can use it in their applications," Ulevitch says. "A spam filter, for instance, can hook into our API.

But a pumped-up DNS alone can't kill phishing, says Dan Hubbard, founding research fellow at the Anti-Phishing Working Group and vice president of security research for Websense. "DNS interaction is just one layer in a pretty big problem set," he says. "Ideally, you would have both DNS and URL levels" of anti-phishing security, which Websense offers.

APWG statistics show that most phishing attacks use URLs, not domain names, Hubbard says. "So there's going to be a large amount of stuff OpenDNS can't track. But you can blackhole names for botnets."

Ulevitch concurs that it's all about layers of security. "We want to be the open malware clearinghouse, and we want others to write it into their own apps."

If OpenDNS prevents phishers from using DNS in their exploits, that's a major victory, Ulevitch says. "When someone uses a DNS name, they are at liberty to change the IP address it points to as often as they wish, and they often do so to move from compromised machine to compromised machine." Blocking DNS will force them to use an IP address that's not changeable -- and therefore is simpler to quash, he explains.

DNS is the layer at which botnets control drones, Ulevitch observes. Malware sites also use DNS to find sites for downloading spyware, he notes, so securing it is crucial.

But OpenDNS' service could pose a single point of failure, says Richard Stiennon, president of IT-Harvest. "My problem with OpenDNS is that it is not distributed enough. By asking individuals to use its DNS servers as primary, it creates a network hotspot that is liable to cause problems when they go down due to fire, flood, earthquake, or DDOS attack," Stiennon says.

Stiennon argues, too, that blacklisting is an invitation to spoofing. "Say a hacker puts a phishing site on my hosted server," he says. "Does that blacklist my IP address forever?"

OpenDNS currently doesn't prevent unnamed phishing exploits that sit on, say, Yahoo or another compromised site. "We are working on a solution for this, but currently we do not block access to these sites," Ulevitch says. "That leaves the DNS side of phishing and moves over to the provider side, which is why we support increasing security at all layers."

Ulevitch says he plans to make his case for a more secure DNS with the IETF as well. "The existing DNS is a total black box," he says. "It's like a hose -- anyone who wants to go on the network is letting it in, and there's no way to control what comes in," Ulevitch says. "OpenDNS lets you control the DNS that comes into your network. It boggles my mind why this hasn't happened in the past."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Anti-Phishing Working Group
  • Websense Inc. (Nasdaq: WBSN)
  • OpenDNS

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    A Realistic Threat Model for the Masses
    Lysa Myers, Security Researcher, ESET,  10/9/2019
    USB Drive Security Still Lags
    Dark Reading Staff 10/9/2019
    Virginia a Hot Spot For Cybersecurity Jobs
    Jai Vijayan, Contributing Writer,  10/9/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-10-15
    An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
    PUBLISHED: 2019-10-15
    qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
    PUBLISHED: 2019-10-15
    In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
    PUBLISHED: 2019-10-15
    An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
    PUBLISHED: 2019-10-15
    In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.