NOD as a DNS Response Policy Zones Firewall
Farsight Security® Inc.’s (now a part of DomainTools) Newly-Observed Domains (NOD) feed is available as Response Policy Zones (RPZ) which may be used to implement DNS firewalls.
Farsight Security processes hundreds of thousands of DNS resolutions per second. They maintain a massive database of the observed domain names and any new domain names feed the NOD service. It is common practice for the malicious to register and use new domains for temporary abuse to avoid detection.
A Response Policy Zone contains DNS records that describe simple DNS firewall rules and actions to perform. These are described using standard DNS records.
The Farsight RPZ rules only match again the newly-observed domain name and a DNS wildcard for it (for any record types). The only action defined in the Farsight RPZ is to return a DNS NXDOMAIN to any query for that domain name (or under it) indicating it does not exist. This makes the new domain name not resolve, effectively disabling its use by clients using the DNS resolver using the RPZ feed.
Farsight Response Policy Zones
Farsight publishes seven RPZ zones for increasing amounts of time that the newly-observed domain was first identified, The time periods are: 5 minutes, 10 minutes, 30 minutes, 1 hour, 3 hours, 12 hours, and 24 hours. The number of new domains range from a few hundred within the first five minutes and a few hundred thousand in the day long RPZ. These zones are updated every minute to add new entries and to expire old.
The RPZ zones are normal DNS zones. Customers configure their name server as a secondary zone (aka slave) for one or more RPZ feeds. The initial zone transfer uses the DNS AXFR protocol and then later updates may use IXFR (incremental) transfers. Farsight’s name server can send DNS NOTIFY messages to the customer’s name servers when it has RPZ updates for near-real-time updates. This communication is authenticated and secured using DNS TSIG.
The DNS Firewall rules as provided by Farsight Security are stored using DNS records within a DNS zone. The SOA record’s serial number is the timestamp of the last zone file update as represented in Unix Epoch time format (number of seconds since Jan. 1, 1970 00:00:00 UTC).
The RPZ specification is in a work-in-progress Internet Draft (https://tools.ietf.org/html/draft-ietf-dnsop-dns-rpz-00).
While the DNS Response Policy Zones (RPZ) specification has several policy triggers and actions, the Farsight Security RPZ zones only use the QNAME Trigger (including wildcards) and the NXDOMAIN Action.
Sample Data Structure
An example hosted by Farsight Security is:
sebaceoushelp.com IN CNAME . ; first_seen=1533314880 *.sebaceoushelp.com IN CNAME . ; first_seen=1533314880
And the transferred records:
sebaceoushelp.com.24h.rpz.dns-nod.net. 300 IN CNAME . *.sebaceoushelp.com.24h.rpz.dns-nod.net. 300 IN CNAME .
(Note that the comments are not part of the DNS and aren’t transferred along with the zone updates.)
Common deployments using the Farsight-enabled RPZ zones as a DNS firewall include: mail servers to reject incoming emails from NOD senders, spam filters to score and/or reject emails containing links to NOD websites, and for web browsers to stop access to very new websites.
The one-day period should be long enough for various reputation services to analyze the new domain to see if it has legitimate use. With the different time-based RPZ zones, customers may experiment and choose the best feed to match their needs.
Farsight’s NOD offerings also includes DNSBL blacklist feeds as DNS zones files and DNSBL service via normal DNS queries.
Typical use cases of the RPZ feeds are:
- Mail servers to reject incoming emails from NOD senders per standard SMTP server rules to reject incoming emails from senders whose domains do not resolve
- Spam filters to score and/or reject emails containing links to NOD websites or use of NOD domains in email headers.
- Email account authentication to prevent signups using brand-new domain names
- Using the data in a standard DNS resolver using NOD RPZ feeds so web browsers and other client applications won’t visit new websites or services using new domain names
The RPZ feeds are only accessible via DNS zone transfers. Access is restricted to customer-provided IP addresses and using TSIG with a pre-assigned HMAC-SHA512 key.
Farsight does not provide a DNS server for continual queries utilizing the RPZ feed. (Farsight does for DNSBL though, based on the same NOD data.)
Customers may provide one or more IP addresses of a DNS server that can handle DNS NOTIFY messages to speed up the transfers. The zone file’s refresh timer is set to ten minutes. If a zone refresh fails, it will retry. every five minutes (until it expires in one day). Depending on the feeds, the DNS NOTIFY messages may happen a few times a minute to prompt the server to attempt to refresh the zone for updates.
This service is data transferred onto a customer’s DNS servers, so there is no additional hardware requirement.
The amount of data in the feed will vary over time.
The IXFR zone transfers may happen a few times a minute, depending on which RPZ feed is enabled. For example, the one-hour or 24-hour feeds may have incremental transfers from 20 records (666 bytes) to 8822 records (189652 bytes). The following is a snapshot of typical zone file sizes:
53K 5m.rpz.dns-nod.net (456 NODs) 110K 10m.rpz.dns-nod.net (931 NODs) 392K 30m.rpz.dns-nod.net (3416 NODs) 823K 1h.rpz.dns-nod.net (7280 NODs) 2.3M 3h.rpz.dns-nod.net (21062 NODs) 16M 12h.rpz.dns-nod.net (151147 NODs) 24M 24h.rpz.dns-nod.net (223710 NODs)
The RPZ technology is commonly used in a caching recursive nameserver. It is supported in ISC’s BIND named, the Knot DNS Resolver, and the PowerDNS Recursor.
The NOD feeds do contain honest or non-malicious domains. Use of the RPZ rules does make them unaccessible by name for the time period of the RPZ feed.
Support & Resources
Farsight Security will provide configuration examples for BIND using its native RPZ or for using its FastRPZ. This configuration will include the IP addresses for the Farsight Security name servers to communicate with and the associated private shared secret for accessing the zone(s).
Additionally, Farsight Security provides a proprietary technology called FastRPZ which provides an interface for a custom Unbound (via a patch shipped with Unbound) and special-built BIND (using the DNS Response Policy Service API) to use this FastRPZ an alternative. This FastRPZ provides a simple DNS transfer server to maintain the RPZ feeds and hooks for the resolving name server to trigger and act on the DNS firewall rules.
The RPZ feeds include a testing record which may be used for verifying a working RPZ setup. A DNS query for test.dns-nod.net should result in a NXDOMAIN with a SOA indicating it came from a specific RPZ (with the epoch timestamp in the SOA).