tashatuvango - Fotolia

Using DNS RPZ to pump up cybersecurity awareness

Combining DNS with threat intelligence feeds could hold a key to improving cybersecurity awareness by educating users who attempt to access potentially malicious websites.

DNS: It's the lowest common internet denominator, the leveler, the application that everyone who goes online will use every time and with no exceptions. That ubiquity and pervasiveness are what make using DNS to promote cybersecurity awareness such an appealing -- and powerful -- idea.

What would happen if a public service mapped malicious or otherwise dangerous domains from threat intelligence sources onto DNS response policy zones (RPZs)? Such a service could be used to educate users about potential threats and promote better cybersecurity awareness, according to John Bambenek, vice president for security research and intelligence at ThreatSTOP Inc., a threat intelligence service provider based in Carlsbad, Calif.

Bambenek created a meme bannered "Daddy knows what websites you are going to" and said, "This is what my kids get if they go to a domain I block."

The concept is simple: Populate a DNS RPZ for every malicious, questionable or otherwise forbidden or discouraged domain reported by a threat intelligence feed. The collection of RPZs functions as a sort of DNS firewall, so when users try to access those sites, they are fed tailored responses that don't just prevent them from accessing malicious content, but that also offer the user an educational experience so they will understand why they have been blocked from that content.

Bambenek has been promoting this concept for a while and explained it in a 2017 presentation where he noted that RPZs can be used to detect potentially malicious content based on hostnames and domains; resolved IP addresses that are linked to hostnames or domains; for malicious name servers, the name servers that a particular hostname used; and the IP addresses for malicious name servers.

Daddy knows what websites you are going to.
John BambenekThreatSTOP

Once the RPZs are populated, the service could associate actions to take when the potentially malicious content is accessed:

  • Respond to the DNS request with the NXDOMAIN response, which means the domain does not exist;
  • Take no action, allow the query to succeed and log it; or
  • Modify the query to point to a "walled garden," so instead of going to the stated destination, the browser opens an IP address defined by the defender to inform the victim about security. If the destination is a botnet controller, the policy could notify the victim they are infected and suggest the next steps they should take.

Bambenek talked recently about how this DNS RPZ-based approach to cybersecurity awareness works, as well as its challenges and benefits.

Editor's note: This interview has been edited for clarity and length.

How would this kind of DNS RPZ service work, and how can it be set up?

John BambenekJohn Bambenek

John Bambenek: If you control the DNS resolver -- the DNS server you query -- you can modify responses at will. Criminals can do that with DNSChanger and a couple of other attacks, but RPZ allows people who run a DNS resolver to enforce security policy: I'm not going to let you go to malicious sites, I'm not going to let you go to porn, whatever it is.

We need to figure out a way to do this for our consumers because, in an enterprise environment, sure, I've got all the security tools, and if somebody clicks on a phishing link and I'm aware of that and have it in my policy, it could redirect them to a phishing page where you can give real-time feedback. The reason that's important is because of the whole 'annual security training' approach -- most people don't pay attention to it because it's high-level, it's general and people just hate web-based training. I have never heard anyone come out of a web-based training [and] say, 'You know what? That was a really compelling presentation, and it's changed my view on X.'

How does this differ from other cybersecurity awareness techniques?

Bambenek: Most of the security awareness tools we have just don't work. The green padlock or other things to indicate you're using a secure webpage -- there's been academic research that shows that all just doesn't work.

But, if you click on a phishing link or let's just say you click on ransomware in an email, you get redirected to a page -- instead of downloading the malware -- that says, 'This is ransomware, and we stopped it, but these are the kind of things to look for,' where you're given that real-time feedback.

Then, there are companies that essentially do very similar things where they basically run phishing exercises against employees, and if you click on it, you're informed: 'You made a mistake; you've got to do better.' And you get pretty stats and all that kind of stuff and reports actual phishing links.

This approach to use RPZ takes it one step further where it's just enforcing it in DNS at the network level. The key is giving real-time security awareness. We need to do this at the consumer level -- not just for paying customers -- because, at the end of the day, if your employees get compromised at home, it is a workplace security concern because they probably have confidential documents on their laptop. They may be logging in to email or VPN from home, and if the devices are compromised, now their credentials are compromised.

This supports the whole notion that there really is no security perimeter anymore.

Is anyone already implementing this RPZ approach to real-time cybersecurity awareness?

Bambenek: Not security awareness. They do block, and with OpenDNS, they redirect to a page that says, 'This is blocked' because of whatever categorization. They let you know. Quad9 just gives you an NXDOMAIN or something, but it doesn't do security awareness training. OpenDNS gets close because, if you actually try to look up something that is otherwise locked by its policy, it redirects to an IP address it controls.

This idea is to take it much further, and I'm going to talk to Quad9 to see if I can get them to implement it, and I'll probably talk to OpenDNS too.

Does ThreatSTOP have any offerings that use this approach?

Bambanek: We're developing a product that will be a free DNS resolver you can download and put on your laptop with security policy. So, we'll have something free, but it will be installed on the device and travel with you. If you click on malware, it will give you security awareness for that; if you click on phishing, it will give you security awareness for that to really try to improve normal people who are not otherwise protected by enterprise solutions.

So, if I change my DNS servers to use Quad9 or OpenDNS, will I get at least some of the benefits that come from using RPZ for cybersecurity awareness in the way you propose?

Bambanek: You'll be getting protected, but doing RPZ for security awareness takes it one step further because nobody knows 100% of the malicious indicators. If you help encourage people when they click on something by telling them, 'This is a scam, this is ransomware, this is phishing,' you're also using that same opportunity to protect them with nominal extra effort. You're saying, 'Oh, by the way, you didn't go here because this a phishing website. Here is how to spot it; here is how to not make that mistake again.' So, the next time they click on something that might not be covered in a security policy, they know better.

Dig Deeper on Risk management

Enterprise Desktop
Cloud Computing