Response Policy Zones (RPZ) on guard network

My experiment with opening a recursive DNS server for everyone turned out to be so successful that I urgently had to change the rules of the game. Instead of completely closing the recursive DNS, I decided to limit access to the most popular domains in the attacker using the RPZ (Response Policy Zone) mechanism.
RPZ is a Bind DNS server functionality, the competent use of which allows to solve the following problems:

• block botnet and malware communications with control centers (C & C);
• reduce the load on the caching DNS and communication channel;
• block access according to the list of "prohibited" sites (both for enterprises and for providers);
• redirect users to local resources.

Let us consider in detail the options for using RPZ and its configuration.

Blocking botnet and malware communications

Many Botnets and Malware use DNS to communicate with control centers (C & C), which complicates the identification and control process. An example of such technologies is FastFlux (known since November 2006) and the DGA (Domain Generation Algorithm). FastFlux - the domain (s) with a large number of A-records, which change frequently (TTL - 5 minutes), is used to communicate with C & C. In a more complex implementation, these entries may indicate infected / hacked servers and computers acting as proxies. Blocking communications of such malware over IP is impossible due to their large number and frequent changes. BredoLab is one of the well-known botnet that used FastFlux technology. BredoLab was used: to infect computers with other malware (Zbot aka Zeus, SpyEye, TDSS, HareBot, Blakken aka Black Energy 2) for sending spam and carrying out attacks. Read more about BredoLab here .

Using DGA technology, malware generates a large number of domains (up to 50 thousand) according to certain rules, some of which are checked every day and used to communicate with C & C. Cryptolocker - one of the most famous extortionists programs to date - used this algorithm. After infecting a computer, Cryptolocker tried to contact C & C and, upon successful connection, download the public key that is used for encryption. lcxgidtthdjje.org, kdavymybmdrew.biz, dhlfdoukwrhjc.co.uk, xodeaxjmnxvpv.ru are examples of domains used by Cryptolocker. To prevent these threats, you can use RPZ by blocking malware communications with C & C. RPZ-zone to protect against such threats can be manually (using data from specialized forums, blogs and websites) or use the subscription service.

Several companies provide a similar service for RPZ (the list is taken from dnsrpz.info):

• SpamHaus - subscription cost depends on the type of organization and number of users;
• Surbl - the cost of the subscription depends on the type of organization and the number of users;
• InternetIdentity - cost is not clear;
• ThreatStop - a subscription is sold by Infoblox under the brand name DNS Firewall. The cost depends on the device model. September 18 on this topic Infoblox conducts a webinar in Russian, you can register here .

Some suppliers of RPZ-zones provide them for testing, so it is very easy to check your network for the presence of known botnet and malware.

Reducing the load on caching DNS and communication channel

The activity of botnet-agents can lead to a significant increase in the load on the caching DNS and communication channel. All “correct” administrators restrict access to their caching DNS servers, and this traffic comes from authorized clients. Parasitic load on the DNS server can be both constant and periodic.

In the figure above, for 2 hours the load increased from the standard 15 thousand requests per second to 43 thousand requests. Amplification was used for attacks and the server response (4Kb) exceeded the request 60 times. Accordingly, the additional load of 28 thousand requests per second generated outgoing traffic of 875 MB / s.
I scanned one of the networks / 16 Moscow telecom operator (to which I am connected). In the evening, 69 devices were detected that respond to DNS queries and are accessible from the Internet. My (average in parameters) Linksys EA3200 router can work from 1000 requests per second (4Kb packet size) to 3500 requests per second (small packet size), that is, generate 31Mb / s of outgoing traffic at 0.5Mb / s of incoming traffic. That is, the detected 69 devices can generate a stream of 2 Gb / s and significantly load the operator’s network.
All parasitic traffic on my open recursive DNS (see previous article ) was generated only by 3 domains: webpanel.sk, energystar.gov and doleta.gov.

Blocking domain data using RPZ (I used the NODATA response) made it possible to reduce the load on the network, since the size of the request almost coincides with the size of the server response. The attack was meaningless.
')

Blocking access by the list of prohibited sites

Blocking access to domains through lists of prohibited sites is useful both for enterprises and for Internet providers. With access restrictions within enterprises, everything is trivial and there are no problems in implementation. Do not forget that you need to block user access to public DNS.
Providers can use RPZ to execute the Federal Law, since not everyone has the ability to pass traffic through DPI, and blocking access over IP is fraught with a loss of customer loyalty. In this case, the restrictions are implemented as follows:

1. The registry of prohibited sites is divided into 2 groups:
   
   • Restrictions imposed on the whole domain;
   • Restrictions imposed on a specific section of the site;
2. Sites falling under blocking of the whole domain are registered in the PRZ zone;
3. Routing to the remaining sites is prescribed in such a way that the packets pass through either a DPI or a proxy server. In a pinch, you can block through IP.

Redirect Users to Local Resources

In addition to simply blocking access to resources (NXDOMAIN, NODATA, DROP), you can change the response of the DNS server. Such a change in answers may be required, for example:

• to alert users that their computers are infected with malware, botnet agents, or when accessing sites that distribute malware. Additionally, providers can show antivirus advertisements, and administrators in enterprises can specify an IT phone number and email;
• for warning users that this resource is locked. Providers can specify the reason for blocking (FZ), and for corporate users you can display a list of blocked domains and a sample statement of your own free will (for dissent);
• redirecting users to local resources or local (gray) IP addresses of servers (an example is given in this article).

Configuring RPZ on BIND 9.10

To use RPZ effectively, all DNS queries should come only to your DNS. This can be achieved in two ways:

• block access to other DNS;
• automatically redirect all DNS requests with RPZ enabled.

The configuration below is correct for BIND version 9.10, in previous versions there are no drop and tcp-only commands, restrictions on the client and DNS server addresses.
1. Initially, it is necessary to define the list of RZP zones and their parameters with a response-policy expression.

response-policy {zone "whitelist" policy passthru; zone "badlist" policy disabled;}; 

Bind checks the request for the RPZ in accordance with the order of zones defined in responce-policy. The most important is the additional parameter policy, which allows you to override the rules for processing requests specified at the zone level. This parameter can take the following values:

• given - actions defined in the zone are executed (default value);
• disabled - zone is disabled;
• passthru - the DNS server response is not modified, but entering the zone is reflected in the log files;
• drop - the server ignores the request (does not respond);
• nxdomain — the server responds with NXDOMAIN (a domain that does not exist);
• nodata - the server responds NODATA (no record);
• tcp-only — a truncated message is sent, which forces the client to perform a TCP request (protection against DrDoS);
• cname domain-name - the server overwrites all responses to the specified domain.

2. Then define the list of zones using the standard format. For local zones, type master, for RPZ feed, type slave.

 zone "badlist" {type master; file "master/badlist"; allow-query {none;}; }; 

3. Define the zone (comments on the format in the text)

 $TTL 1H @ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h) NS LOCALHOST. ; QNAME policy records. There are no periods (.) after the owner names. nxdomain.domain.com CNAME . ; (.) -  NXDOMAIN *.nxdomain.domain.com CNAME . ; (.) -  NXDOMAIN nodata.domain.com CNAME *. ; (*.) -  NODATA *.nodata.domain.com CNAME *. ; (*.) -  NODATA bad.domain.com A 10.0.0.1 ;     AAAA 2001:2::1 bzone.domain.com CNAME garden.example.com. ok.domain.com CNAME rpz-passthru. ;    ;   x.bzone.domain.com  x.bzone.domain.com.garden.example.com *.bzone.domain.com CNAME *.garden.example.com. ;    IP 8.0.0.0.127.rpz-ip CNAME . 32.1.0.0.127.rpz-ip CNAME rpz-passthru. ;      IP   ns.domain.com.rpz-nsdname CNAME . 48.zz.2.2001.rpz-nsip CNAME . ;   IP  112.zz.2001.rpz-client-ip CNAME rpz-drop. 8.0.0.0.127.rpz-client-ip CNAME rpz-drop. ;      TCP 16.0.0.1.10.rpz-client-ip CNAME rpz-tcp-only. example.com CNAME rpz-tcp-only. *.example.com CNAME rpz-tcp-only. 

RZP is a convenient mechanism for increasing network security and restricting access to resources .

List of sources

1. dnsrpz.info
2. www.spamhaus.org/faq/section/ISP%2520Spam%2520Issues#164
3. www.infosecurity.ru/cgi-bin/mart/arts.pl?a=101219
4. www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information
5. www.infoblox.com/products/infrastructure-security/dns-firewall
6. ftp.isc.org/isc/bind9/cur/9.10/doc/arm/Bv9ARM.ch06.html
7. www.zytrax.com/books/dns/ch7/rpz.html
8. www.zytrax.com/books/dns/ch9/rpz.html

Vadim pavlov
UPD1:
Infoblox offers to test in the passive mode DNS Firewall (RPZ) + Feed.
You can register and access this link: www.infoblox.com/catchmalware
Installation requires VmWare version 5.0 or higher and vCenter Server.