Cyberattackers often use the Domain Name System (DNS) in their activities. Botnet C&C servers and phishing websites both use DNS to facilitate connection to or from its victims, while the protocol does not contain any security countermeasures to thwart such behavior. In this paper, we examine capabilities of a DNS firewall that would be able to filter access from the protected network to known malicious domains on the outside network. Considering the needs of Computer Security Incident Response Teams (CSIRTs), we formulated functional requirements that a DNS firewall should fulfill to fit the role of a cybersecurity tool. Starting from these requirements, we developed a DNS firewall based on the DNS Response Policy Zones technology, the only suitable open source technology available yet. However, we encountered several essential limitations in the DNS RPZ technology during the testing period. Still, our testing results show that simple DNS firewall can prevent attacks not detected by other cybersecurity tools. We discuss the limitations and propose possible solutions so that the DNS firewall might be used as a more complex cybersecurity tool in the future. Lessons learned from the deployment show that while the DNS firewall can indeed be used to block access to malicious domains, it cannot yet satisfy all the requirements of cybersecurity teams.
[1]
Vernon Schryver,et al.
DNS Response Policy Zones (RPZ)
,
2016
.
[2]
Ramana Rao Kompella,et al.
PhishNet: Predictive Blacklisting to Detect Phishing Attacks
,
2010,
2010 Proceedings IEEE INFOCOM.
[3]
Thorsten Holz,et al.
As the net churns: Fast-flux botnet observations
,
2008,
2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).
[4]
Chris Kanich,et al.
The Long "Taile" of Typosquatting Domain Names
,
2014,
USENIX Security Symposium.
[5]
Vern Paxson,et al.
On the Potential of Proactive Domain Blacklisting
,
2010,
LEET.
[6]
Antonio Pescapè,et al.
Internet Censorship detection: A survey
,
2015,
Comput. Networks.
[7]
Paul V. Mockapetris,et al.
Domain names - implementation and specification
,
1987,
RFC.
[8]
Giovane C. M. Moura,et al.
Cybercrime After the Sunrise: A Statistical Analysis of DNS Abuse in New gTLDs
,
2018,
AsiaCCS.