DNS Gets Anti-Phishing Hook

The new, free OpenDNS service uses DNS to fight phishing and botnets

If you're fighting phishing and botnets in your enterprise, you've got a new ally: the Domain Name Service (DNS).

OpenDNS this week began offering a free service that's basically DNS on steroids, with added security features that prevent users from entering phishing sites or becoming unwitting drones in a botnet. It also boosts DNS performance through caching and a dedicated network, and provides additional features such as automatic correction of mistyped URLs.

OpenDNS is initially aimed at consumers -- technology-savvy ones who know what DNS stands for -- and is based on a big fat database of phishing and botnet sites OpenDNS gathered from various anti-phishing and anti-botnet organizations, as well as its own data. "We find out who the bad hosts on the Net are now and, using that, we block them at the DNS level," says David Ulevitch, CEO and founder of OpenDNS. Ulevitch and his team built OpenDNS around the EveryDNS public domain code he developed five years ago.

The company hopes to attract small offices and home business as it adds more features, and it's also interested in luring ISPs. Ulevitch says the company is putting the final touches on an interface that will open up its database of blacklisted DNS sites and servers to the public via a new site, phishtank.com, which will also host phishing stats gathered by OpenDNS.

The idea is to get security apps to use the database. "We’re going to open up the whole backend database so others can use it in their applications," Ulevitch says. "A spam filter, for instance, can hook into our API.

But a pumped-up DNS alone can't kill phishing, says Dan Hubbard, founding research fellow at the Anti-Phishing Working Group and vice president of security research for Websense. "DNS interaction is just one layer in a pretty big problem set," he says. "Ideally, you would have both DNS and URL levels" of anti-phishing security, which Websense offers.

APWG statistics show that most phishing attacks use URLs, not domain names, Hubbard says. "So there's going to be a large amount of stuff OpenDNS can't track. But you can blackhole names for botnets."

Ulevitch concurs that it's all about layers of security. "We want to be the open malware clearinghouse, and we want others to write it into their own apps."

If OpenDNS prevents phishers from using DNS in their exploits, that's a major victory, Ulevitch says. "When someone uses a DNS name, they are at liberty to change the IP address it points to as often as they wish, and they often do so to move from compromised machine to compromised machine." Blocking DNS will force them to use an IP address that's not changeable -- and therefore is simpler to quash, he explains.

DNS is the layer at which botnets control drones, Ulevitch observes. Malware sites also use DNS to find sites for downloading spyware, he notes, so securing it is crucial.

But OpenDNS' service could pose a single point of failure, says Richard Stiennon, president of IT-Harvest. "My problem with OpenDNS is that it is not distributed enough. By asking individuals to use its DNS servers as primary, it creates a network hotspot that is liable to cause problems when they go down due to fire, flood, earthquake, or DDOS attack," Stiennon says.

Stiennon argues, too, that blacklisting is an invitation to spoofing. "Say a hacker puts a phishing site on my hosted server," he says. "Does that blacklist my IP address forever?"

OpenDNS currently doesn't prevent unnamed phishing exploits that sit on, say, Yahoo or another compromised site. "We are working on a solution for this, but currently we do not block access to these sites," Ulevitch says. "That leaves the DNS side of phishing and moves over to the provider side, which is why we support increasing security at all layers."

Ulevitch says he plans to make his case for a more secure DNS with the IETF as well. "The existing DNS is a total black box," he says. "It's like a hose -- anyone who wants to go on the network is letting it in, and there's no way to control what comes in," Ulevitch says. "OpenDNS lets you control the DNS that comes into your network. It boggles my mind why this hasn't happened in the past."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights