Adventures in open DNS resolution: How to use threat intelligence for the public good

By on 7 Jul 2021

Category: Tech matters

Tags: , , , ,

Blog home

DNS can be considered the forgotten protocol of the Internet. It operates transparently to most users who never give it a moment’s thought, yet it is critical for the Internet to even be usable.

Much of the recent debate around DNS involves DNS-over-HTTPS (DoH).

DoH has the browser issue its own DNS requests over HTTPS. The debate over DoH obscures the role that the DNS can play in protecting the user community, especially for those that can’t afford, or do not have the technical ability, to deploy their own protection.

Read: DOH! DNS over HTTPS explained

While we constantly see news of successful cyberattacks, the security industry knows a great deal about the threat landscape. Many phishing and malware campaigns are broad and, therefore, well represented in threat feeds, blog posts, and community knowledge. CERTs also have a great deal of information from their own research teams.

The information is out there, but how do we apply it on a large scale for the public?

The tricky problem of public resolvers

The problem lies in applying this knowledge to protect currently unprotected user communities. Until we can solve the cybersecurity problem for the user at home, threats will remain a concern even for enterprises, with many having large numbers of work-from-home employees.

Creating and curating this intelligence for use in a large public resolver is not trivial. What can be blocked in a corporate network is not appropriate to block in an open resolver available to the public. That shouldn’t prevent efforts to protect the unprotected user community, however.

Read: DoH the right thing

Automating these systems requires some effort, but intelligent machine learning can be used to look at attributes of domains and hostnames to confidently identify malicious infrastructure. The key to creating these models safely is using it on truly ‘representative’ data, specifically the kind of traffic that open resolvers already see. Most cybersecurity training data sets are composites of ‘approximations’ which can create interesting problems and painful false positives. The key is using DNS resolvers that operate as public-benefit entities.

Trends in DoH security

Going back to DoH, DNS resolution has been trending towards more centralized infrastructure operated by for-profit companies and, if we are being honest, for-profit commercial intelligence agencies. One of the growing security challenges these days is privacy in an era where so much information is being created about everything we do. A public-benefit resolver that operates with a privacy and security mandate, like Quad9, is ideal to both test protection and to provide that protection to otherwise unprotected users.

Attempting to identify threats in an open resolver also has unique benefits. You can:

  • Capture newly observed domains or hostnames
  • Identify fast flux domains
  • Identify malware trends on a geographic basis so CERTs can be more informed of the threat landscape affecting their users
  • Identify victims of DNS cache poisoning
  • Identify malicious infrastructure operating in the jurisdiction of a CERT

One of the key law enforcement and CERT problems is identifying what truly matters to their constituencies ideally before those constituencies call to complain.

While it is possible to sinkhole malicious domains, that also comes with some risks. The largest risk is that victim information is now being sent to a third-party who could technically take over victim machines. The reality is that victim information is big business, with many cyber insurance companies gaining sinkhole data to then use against the victims as part of risk underwriting. Not all sinkholes do this, but seeking private information about victims of cybercrime without a very good reason should make anyone nervous, especially if they are not doing victim notification.

Why should ISPs use public-benefit resolvers?

Using a public-benefit resolver at the ISP level can help ISPs provide protection to their users without operating their own resolvers, and help threat intelligence teams to populate the protection rules. It also tips the balance in the fight over DoH — from large tech companies looking to monetize private data, to entities trying to protect user privacy and security.

In order for this to work, additional partnerships are needed to develop better and more frequent threat intelligence to protect the public. This could involve localizing measures that share information and resources to better protect networks, and users, in other economies. All of us can contribute time, talent, or resources to help make the Internet a safer place for users who would otherwise go unprotected.

Contact me via email at jcb [at] bambenekconsulting [dot] com if you would like to help.

John Bambenek is President of Bambenek Labs, a cybersecurity threat intelligence firm that uses machine-learning to find and track malicious activity on the Internet.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *