Introduction
Right now, scores of people around the world are registering new Internetdomain names. Some of them will use a service to provide a mailbox and websitefor them, others are registering in bulk, and a select few are registeringdomain names for nefarious purposes. The bad actors hope that they’ll be ableto sneak into your network, often with stolen credit card numbers and falseWHOIS data, and deliver or serve spam or malwarebefore reputation services and DNSBLs catch up with them.
Here at Farsight Security, we’ve found that refusing traffic from new domainsfor a brief time is a very effective tool for protecting your network. Thevast majority of good guys with reputable domains have no need to deliver emailor serve web pages immediately after purchasing a domain name. Bad actors relyon the first few minutes after purchase, before their credit card is declinedor their WHOIS data is flagged as bogus. Farsight has consistently found thatwhen a network blocks the newest of the new for a short time, nothing of valueis lost but instead much is gained in the way of security.
NOD RPZ
To that end, Farsight provides a service called Newly Observed Domains (NOD). When we say a domain is “new”,we mean that Farsight’s vast passive DNS sensor network hasn’t seen the domainin DNS since June 2010 nor has it been previously seen in a zone file we obtained via the ZFAprograms. Our feed of constantly updating sensors lets us find new domains,usually within a minute of their first appearance in the global DNS. Comparethis to zone files, which are usually downloaded every 24 hours.
We have distributed NOD to organizations via The RBL DNS Daemon (rbldnsd) and as part of ourSecurity Information Exchange (SIE)on channel 212. Now we are offering NOD as a Response Policy Zone (RPZ). RPZ is used in your recursive resolver and is best describedas a DNS Firewall. Servers able tosupport RPZ include BIND 9, BlueCat DNS, and InfoBlox DNS Firewall. The big advantage ofRPZ over rbldnsd is that RPZ allows a name server to act as a DNS firewall forincoming traffic and make decisions based on hostname, domain, IP address, or nameserver. RPZ generally makes it easy to block access to your networkgiven whatever criteria you wish. With NOD RPZ in particular, you canautomatically block newly observed domain names from being accessed for aperiod of time that you determine, based on length of time from firstobservation. Farsight offers pre-configured thresholds from five minutes to 24hours. We do not recommend blocking new domains longer than 24 hours, sincethis can interfere with or prevent legitimate traffic, and 24 hours is plentyof time for other services such as DNSBLs and reputation services to catch anybad behavior.
If NOD RPZ sounds like a fit for your organization or you would like moreinformation, please contact Farsight Security Sales at[email protected].
Kelly Molloy is a Senior Program Manager for Farsight Security, Inc.
Heading
