DNS and Web Filtering
Internet works with IP addresses but nobody learn the web server IP address, instead, we learn the domain name. It’s like the telephone number, nobody learn the number, instead, we search into the contacts list. As a result, the DNS service is very important for most companies. Actually, this service has to be always available and the response time has to be quick. In fact, if the root domain servers were shutdown, most people would think there is no Internet.
The DNS service is used by most people as well as by most computers for machine to machine communications. However, it’s also used by most malware which could request domain names similar to the original one or could request domain names totally different and difficult to remember as DGA malware do. For instance, Zeus and Cryptolocker malware use DGA to connect to the C&C server and, thanks to this algorithm, they can bypass security policies such as IP reputation policies.
|Malicious Domain Name|
There are lots of security websites which helps us to look for domain names to know if a domain name is malicious or it’s a good one. For example, Open Threat Exchange (OTX) is a website where we can search Indicators of Compromise to have a full description of the attack. VirusTotal is well known by most security engineers where is easy to look for URLs or upload files to know if they are suspicious or infected. Another interesting website is FortiGuard where is also easy to look for domain names and IP address. All of these websites are useful for malware forensics.
|Open Threat Exchange (OTX)|
The security websites are useful for malware forensics. However, if we are surfing these websites, it's probably because the attack or the infection is already done. It's late. Therefore, companies should install security appliances which are able to analyse DNS requests and responses to look for suspicious domain names. For instance, this kind of service can be configured in FortiGate devices where we can block DNS requests and responses by categories such as malicious domains, phishing domains, social networks domains, etc.
There are also security appliances which are able to analyse HTTP requests and responses to look for suspicious websites. When the computer requests a website, the computer has already requested the domain name for that website. Therefore, it would be better to block the DNS request because it’s done before the HTTP request. However, web filtering services are also useful because we can analyse the content of a website. We can analyse inside the website to look for downloaded malware. In addition, we can even analyse HTTPS traffic where lots of malware is downloaded or C&C communications are done.
DNS filtering and Web filtering are mandatory for most companies where there are users with Internet access. However, there are medium and big companies where is also useful DDI appliances for a better DNS, DHCP and IPAM management. This kind of appliances are also able to analyse DNS requests to look for malicious domain names. In addition, DDI appliances are able to make reports useful to know what endpoints are infected.
Regards my friends. Keep studying!!!