Monday, December 30, 2013

Using openDNS

One of the main alleys to distribute malware is through the Web: an e-mail contains a link, which is clicked and *bam* the machine is infected. The mechanisms behind that are usually similar across the various strains: the website is accessed, there is a client-side exploit that downloads a piece of malware, which executes and connects to a site to get its instruction or dump its payload.

A common theme is the use of DNS to resolve a name to an IP address: some names have hundreds of "A" records, corresponding to as many compromised machines. A freshly infected system will try to resolve one of these, then connect and proceed as explained above.

Numerous open source initiatives exist to establish lists of these "bad domains" or "malware domains". The most famous is the Malware Domain List, which has several options (csv, hosts, ...) that can be used to generate either a DNS or proxy black list, firewall rules and so forth.

However, this requires that you have either your own DNS or proxy server, or that your firewall supports an automated way of importing the list. Not always possible. In addition, this covers only malware, and for instance, there is no categorization. And unless you add more tools, you have little to no visibility on what is dropped.

This is where OpenDNS comes into play. The service is presented as a traditional DNS server, two in fact, and people can add it instead of their servers: as a forwarder in a corporate server, as a DNS server in a small router or host. Immediately, the known malware domains are dropped and returns the IP of a server operated by OpenDNS to inform that the attempted resolution was nefarious. This also includes typos (mircosoft.com instead of microsoft.com).

But the power of OpenDNS starts when you register with an account - even a free one. Then, you have access to domain filtering by categories - have you ever wanted to drop all these adware sites? - and to statistics. Note that by default the stat collection is disabled.

These consist in the number and type of resolutions, presented in an hourly format, the number of unique domains resolved, the list of resolved domains and how many times over the requested period (a day or multiple days), the list of blocked domains and the reason.

The OpenDNS team is constantly implementing new features, and there is an "idea bank" where users can submit proposals or requests, such as a filtering base on the geolocation of the IP returned, or more logging and alerting.

But what good does it do if the only thing you can see is that "a machine in your network has attempted to resolve a known bad name"? That's why they have developed an agent to install on the end machine: it forces the resolution to go through OpenDNS and provides some more information, allowing for the quick identification of systems.

OpenDNS also offers other services, such as a web filtering proxy and more.

All in all, this is a really nice service to use. It is not expensive at all and can really complement a security solution by providing an additional filtering layer.