Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

09:56 AM
Connect Directly

DNS Gets Anti-Phishing Hook

The new, free OpenDNS service uses DNS to fight phishing and botnets

If you're fighting phishing and botnets in your enterprise, you've got a new ally: the Domain Name Service (DNS).

OpenDNS this week began offering a free service that's basically DNS on steroids, with added security features that prevent users from entering phishing sites or becoming unwitting drones in a botnet. It also boosts DNS performance through caching and a dedicated network, and provides additional features such as automatic correction of mistyped URLs.

OpenDNS is initially aimed at consumers -- technology-savvy ones who know what DNS stands for -- and is based on a big fat database of phishing and botnet sites OpenDNS gathered from various anti-phishing and anti-botnet organizations, as well as its own data. "We find out who the bad hosts on the Net are now and, using that, we block them at the DNS level," says David Ulevitch, CEO and founder of OpenDNS. Ulevitch and his team built OpenDNS around the EveryDNS public domain code he developed five years ago.

The company hopes to attract small offices and home business as it adds more features, and it's also interested in luring ISPs. Ulevitch says the company is putting the final touches on an interface that will open up its database of blacklisted DNS sites and servers to the public via a new site, phishtank.com, which will also host phishing stats gathered by OpenDNS.

The idea is to get security apps to use the database. "We’re going to open up the whole backend database so others can use it in their applications," Ulevitch says. "A spam filter, for instance, can hook into our API.

But a pumped-up DNS alone can't kill phishing, says Dan Hubbard, founding research fellow at the Anti-Phishing Working Group and vice president of security research for Websense. "DNS interaction is just one layer in a pretty big problem set," he says. "Ideally, you would have both DNS and URL levels" of anti-phishing security, which Websense offers.

APWG statistics show that most phishing attacks use URLs, not domain names, Hubbard says. "So there's going to be a large amount of stuff OpenDNS can't track. But you can blackhole names for botnets."

Ulevitch concurs that it's all about layers of security. "We want to be the open malware clearinghouse, and we want others to write it into their own apps."

If OpenDNS prevents phishers from using DNS in their exploits, that's a major victory, Ulevitch says. "When someone uses a DNS name, they are at liberty to change the IP address it points to as often as they wish, and they often do so to move from compromised machine to compromised machine." Blocking DNS will force them to use an IP address that's not changeable -- and therefore is simpler to quash, he explains.

DNS is the layer at which botnets control drones, Ulevitch observes. Malware sites also use DNS to find sites for downloading spyware, he notes, so securing it is crucial.

But OpenDNS' service could pose a single point of failure, says Richard Stiennon, president of IT-Harvest. "My problem with OpenDNS is that it is not distributed enough. By asking individuals to use its DNS servers as primary, it creates a network hotspot that is liable to cause problems when they go down due to fire, flood, earthquake, or DDOS attack," Stiennon says.

Stiennon argues, too, that blacklisting is an invitation to spoofing. "Say a hacker puts a phishing site on my hosted server," he says. "Does that blacklist my IP address forever?"

OpenDNS currently doesn't prevent unnamed phishing exploits that sit on, say, Yahoo or another compromised site. "We are working on a solution for this, but currently we do not block access to these sites," Ulevitch says. "That leaves the DNS side of phishing and moves over to the provider side, which is why we support increasing security at all layers."

Ulevitch says he plans to make his case for a more secure DNS with the IETF as well. "The existing DNS is a total black box," he says. "It's like a hose -- anyone who wants to go on the network is letting it in, and there's no way to control what comes in," Ulevitch says. "OpenDNS lets you control the DNS that comes into your network. It boggles my mind why this hasn't happened in the past."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Anti-Phishing Working Group
  • Websense Inc. (Nasdaq: WBSN)
  • OpenDNS

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 5/28/2020
    Stay-at-Home Orders Coincide With Massive DNS Surge
    Robert Lemos, Contributing Writer,  5/27/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: Can you smell me now?
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-05-29
    There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
    PUBLISHED: 2020-05-29
    A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
    PUBLISHED: 2020-05-29
    All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
    PUBLISHED: 2020-05-29
    All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
    PUBLISHED: 2020-05-29
    All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.