The DNS, the address book of the internet, has long been plagued by malicious domains with little hope for effective recourse against this abuse by its bookkeepers: the registrars. ESET brings its protective technology to bear on this pestilence.
Since the early 1980s, the Domain Name System (DNS) has been used for looking up the Internet Protocol (IP) addresses of domain names, now probably best known entered into browser address bars, but widely queried by applications. For most internet users, the work that the DNS performs likely goes completely unnoticed, yet nearly all our activities on the internet begin with a DNS lookup. Monitoring DNS lookups can provide a comprehensive view into the traffic flowing through devices and is a critical point of security control.
Testing threat intelligence data for DNS protection
Filtering out malicious and suspicious domains is a constant battle to stay protected. Ideally, malicious domains would never be registered in the first place or at least quickly detected and dealt with by delisting, blocking access to, or redirecting traffic away from them (aka sinkholing them). However, registering a new or recycled domain name under a false identity is a fast, simple, and cheap process that has allowed various threats to scale up quickly.
Malicious domains: a growth industry
The dangers range much further than mistyping domain names and accidentally navigating to a malicious site “typosquatting” a well-known domain name. Threat actors can register new malicious domains en masse for widespread phishing campaigns, possibly using homoglyphs to bamboozle all but the most vigilant. Compromised devices can reach out to command and control servers overseeing their botnets for the next malicious command. Data can be stolen by malware and sent off to a malicious domain.
A particular challenge arises when legitimate domains are compromised and entered into blocklists as malicious. The operators of such domains have the burden of rooting out the source of the compromise and requesting removal from any blocklists. This scenario often arises when hosting providers that detect malicious activity automatically suspend clients’ accounts. On the other hand, there are some bulletproof hosting providers that publicly wash their hands of the potential malicious or illicit use of their services, providing a safe harbor for both would-be and career criminals.
According to Verisign, which manages the infrastructure of the .com and .net top-level domains (TLDs), 341.7 million new domain names were registered in Q4 2021 across all TLDs, excluding the .tk (Tokelau), .cf (Central African Republic), .ga (Gabon), .gq (Equatorial Guinea), and .ml (Mali) TLDs operated by Freenom due to lack of verifiable data. Considering that, on average, over 3.7 million new domain names are being registered every day that need to be analyzed for malicious behavior, in addition to existing domains that can become compromised or only show their malicious intent later, the need for robust technological solutions to handle this threat vector is paramount.
The economics of domain names
According to several analyses made over the years – [1], [2], and [3] – the five TLDs run by Freenom typically feature highly among the top TLDs used for phishing and malware because no fee is charged to register a new domain. This reveals how favorable the economics of domain names is to malicious actors.
Domain names can be created and thrown away every day by the millions because there is little to no accountability or cost for the people who register them. Each registrar makes its own rules and it is an easy matter to find those that do not use stringent methods to verify the identities and addresses of registrants, and that charge little to nothing for registering domain names, sometimes even making an API available to allow for the automated registration of domain names at scale.
Although the WHOIS protocol was developed to allow easy querying of registrar databases for the identities and addresses of registrants, there are several hurdles to identify malicious registrants. Some registrars offer privacy services to hide registrant information and some local privacy laws even mandate this. Even worse, when dealing with overtly malicious domains, any personally identifiable information that might be available via a WHOIS query is likely false. Indeed, even the credit card used to pay for such domain registrations is probably a stolen one. Contacting a registrar to take down a malicious domain can take days while criminals can carry on their malicious campaigns with new domain names in minutes.
Filtering network traffic for security
The response from the security industry to the abuse of the DNS has been to build automated systems that continually analyze domains for malicious behavior and to create domain blocklists. These lists are then fed into various security products and threat intelligence data feeds to better inform security decisions about allowing connections to specific domains. For example, the anti-phishing database maintained for ESET security products is updated every 20 minutes so that customers can receive protection against the latest phishing websites.
Filtering network traffic against blocklists is no stranger among the security practices of internet service providers (ISPs) and network administrators. Indeed, this is the very task that firewalls have been put to since the mid-1980’s: decapsulate the packets that reach the firewall, look at the IP addresses, the domain names, the protocols, and the port numbers, and if anything is on a blocklist, appears suspicious, or is a communication forbidden by the firewall’s administrators, then block it or raise a warning flag.
With the right fine-tuning, network and endpoint firewalls can be effective as they work in both directions, hindering both external and internal actors from sending packets either into or out of networks and devices. This helps limit the spread of malicious packets and the leak of confidential data no matter the direction or source. A DNS firewall works a little differently as it allows DNS lookups and overrides answers identified as malicious or otherwise undesirable with “not found” or “access denied” messages.
DNS filtering requires partnership
In one sense the use of firewalls and blocklists to deny access to malicious domains can create a false sense of security. With persistent effort there is almost always some loophole to bypass firewall filters, typically via a Virtual Private Network (VPN) or the Tor Browser.
Since a DNS firewall is tied to a DNS server, to bypass its filters it is possible to change the DNS server you are using. While it is possible to run your own DNS server and filters at home or locally, many internet users are likely using the default DNS server and filters provided by their ISP. A simple search for “public DNS servers” in a search engine reveals a host of popular free and paid alternatives, some offering varying levels of protection against phishing sites and malware.
This means that the successful application of a DNS filtering solution depends critically on the willingness of internet users to enter into a partnership with their selected DNS provider and to choose not to circumvent the offered protection.
Protective DNS with ESET NetProtect
The need for improved security of the DNS has led in some places to mandating PDNS (Protective DNS), an acronym referring to DNS filtering. For instance, since 2020, US Department of Defense (DoD) contractors have been required to earn Cybersecurity Maturity Model Certification (CMMC), which, among other requirements, stipulates DNS filtering to achieve Level 3 out of the five levels. Moreover, at the end of 2021, the DoD set in motion CMMC 2.0, with the repositioning of DNS filtering yet to be seen.
The PDNS market features many vendors offering DNS filtering with different levels of domain feed quality and accompanying security services. ESET offers a unique contribution, one sourced from threat data shared by millions of customers around the world using ESET security products. With 35 years of providing security and developing and fine-tuning internal systems to provide high-quality domain feeds for DNS filtering, ESET is positioned to provide ISPs and home admins a distinctive source of protection.
Perhaps you are an ISP looking to bid for government contracts, or to provide unique protection for your own network or as a security service to your customers? Or perhaps you are a home user looking for better security than is provided by your ISP that can be easily extended to all users and guests of your home network? Whatever your case might be, inquiring about the filtering in place for a DNS server and which entity you are entrusting your DNS security to is no small step toward deflecting the tide of malicious domains proliferating on the internet.
ESET NetProtect is the DNS filtering solution available for home users at ISPs that have partnered with ESET. The solution is capable of detecting and blocking domains that deliver malware, are used for phishing, have a suspicious reputation, or serve potentially unwanted content. ESET NetProtect also offers a configurable web content filter with 35 categories that customers can select from to block content by age group.
For more information about ESET NetProtect and ISP partnerships, visit our product page here.