The DNS, the address book of the internet, has long been plagued by malicious domains with little hope for effective recourse against this abuse by its bookkeepers: the registrars. ESET brings its protective technology to bear on this pestilence.
Since the early 1980s, the Domain Name System (DNS) has been used for looking up the Internet Protocol (IP) addresses or domain names, now probably best known entered into browser address bars but widely queried by applications. For most internet users, the work that the DNS performs likely goes completely unnoticed, yet nearly all our activities on the internet begin with a DNS lookup. Monitoring DNS lookups can provide a comprehensive view of the traffic flowing through devices and is a critical security control point.
Testing threat intelligence data for DNS protection
Filtering out malicious and suspicious domains is a constant battle to stay protected. Ideally, malicious domains would never be registered in the first place or at least quickly detected and dealt with by delisting, blocking access to, or redirecting traffic away from them (aka sinkholing them). However, registering a new or recycled domain name under a false identity is a fast, simple, and cheap process that has allowed various threats to scale up quickly.
Malicious domains: a growth industry
The dangers range much further than mistyping domain names and accidentally navigating to a malicious site “typosquatting,” a well-known domain name. Threat actors can register new malicious domains en masse for widespread phishing campaigns, possibly using homoglyphs to bamboozle all but the most vigilant. Compromised devices can reach out to command and control servers overseeing their botnets for the next malicious command. Data can be stolen by malware and sent off to a malicious domain.
A particular challenge arises when legitimate domains are compromised and entered into blocklists as malicious. The operators of such domains have the burden of rooting out the source of the compromise and requesting removal from any blocklists. This scenario often arises when hosting providers that detect malicious activity automatically suspend clients’ accounts. On the other hand, some bulletproof hosting providers publicly wash their hands of the potential malicious or illicit use of their services, providing a safe harbour for both would-be and career criminals.
According to Verisign, which manages the infrastructure of the .com and .net top-level domains (TLDs), 341.7 million new domain names were registered in Q4 2021 across all TLDs, excluding the .tk (Tokelau), .cf (Central African Republic), .ga (Gabon), .gq (Equatorial Guinea), and .ml (Mali) TLDs operated by Freenom due to lack of verifiable data. Considering that, on average, over 3.7 million new domain names are being registered every day that need to be analysed for malicious behaviour, in addition to existing domains that can become compromised or only show their malicious intent later, the need for robust technological solutions to handle this threat vector is paramount.
The economics of domain names
According to several analyses made over the years – [1], [2], and [3] – the five TLDs run by Freenom typically feature highly among the top TLDs used for phishing and malware because no fee is charged to register a new domain. This reveals how favourable the economics of domain names is to malicious actors.
Domain names can be created and thrown away every day by the millions because there is little to no accountability or cost for the people who register them. Each registrar makes its own rules, and it is an easy matter to find those that do not use stringent methods to verify the identities and addresses of registrants and that charge little to nothing for registering domain names, sometimes even making an API available to allow for the automated registration of domain names at scale.
Although the WHOIS protocol was developed to allow easy querying of registrar databases for the identities and addresses of registrants, there are several hurdles to identifying malicious registrants. Some registrars offer privacy services to hide registrant information, and some local privacy laws even mandate this. Even worse, when dealing with overtly malicious domains, any personally identifiable information available via a WHOIS query is likely false. Indeed, even the credit card used to pay for such domain registrations is probably a stolen one. Contacting a registrar to take down a malicious domain can take days, while criminals can carry on their malicious campaigns with new domain names in minutes.
Filtering network traffic for security
The response from the security industry to the abuse of the DNS has been to build automated systems that continually analyse domains for malicious behaviour and create domain blocklists. These lists are then fed into various security products, and threat intelligence data better inform security decisions about allowing connections to specific domains. For example, the anti-phishing database maintained for ESET security products is updated every 20 minutes so that customers can receive protection against the latest phishing websites.
Filtering network traffic against blocklists is no stranger among the security practices of internet service providers (ISPs) and network administrators. Indeed, this is the very task that firewalls have been put to since the mid-1980s: decapsulate the packets that reach the firewall, look at the IP addresses, the domain names, the protocols, and the port numbers, and if anything is on a blocklist, appears suspicious, or is a communication forbidden by the firewall’s administrators, then block it or raise a warning flag.
With the right fine-tuning, network and endpoint firewalls can be effective. They work in both directions, hindering external and internal actors from sending packets either into or out of networks and devices. This helps limit the spread of malicious packets and confidential data leaks no matter the direction or source. A DNS firewall works differently as it allows DNS lookups and overrides answers identified as malicious or otherwise undesirable with “not found” or “access denied” messages.
DNS filtering requires partnership
In one sense, firewalls and blocklists to deny access to malicious domains can create a false sense of security. There is almost always some loophole to bypass firewall filters with persistent effort, typically via a Virtual Private Network (VPN) or the Tor Browser.
Since a DNS firewall is tied to a DNS server, it is possible to change the DNS server you are using to bypass its filters. While it is possible to run your DNS server and filters at home or locally, many internet users are likely using the default DNS server and filters provided by their ISP. A simple search for “public DNS servers” in a search engine reveals a host of popular free and paid alternatives; some offer varying levels of protection against phishing sites and malware.
This means that the successful application of a DNS filtering solution depends critically on the willingness of internet users to enter into a partnership with their selected DNS provider and choose not to circumvent the offered protection.
Protective DNS with ESET NetProtect
The need for improved security of the DNS has led in some places to mandating PDNS (Protective DNS), an acronym referring to DNS filtering. For instance, since 2020, US Department of Defense (DoD) contractors have been required to earn Cybersecurity Maturity Model Certification (CMMC), which, among other requirements, stipulates DNS filtering to achieve Level 3 out of the five levels. Moreover, at the end of 2021, the DoD set in motion CMMC 2.0, with the repositioning of DNS filtering yet to be seen.
The PDNS market features many vendors offering DNS filtering with different levels of domain feed quality and accompanying security services. ESET provides a unique contribution, one sourced from threat data shared by millions of customers worldwide using ESET security products. With 35 years of providing security and developing and fine-tuning internal systems to provide high-quality domain feeds for DNS filtering, ESET is positioned to provide ISPs and home admins a distinctive source of protection.
Perhaps you are an ISP looking to bid for government contracts or provide unique protection for your network or security service to your customers? Or maybe you are a home user looking for better security than is provided by your ISP that can be easily extended to all users and guests of your home network? Whatever your case, inquiring about the filtering in place for a DNS server and which entity you are entrusting your DNS security to is no small step toward deflecting the tide of malicious domains proliferating on the internet.
ESET NetProtect is the DNS filtering solution available for home users at ISPs that have partnered with ESET. The solution can detect and block domains that deliver malware, are used for phishing, have a suspicious reputation, or serve potentially unwanted content. ESET NetProtect also offers a configurable web content filter with 35 categories that customers can select to block content by age group.