DNS Firewall

Michael Patterson : Advanced NetFlow Traffic Analysis
Michael Patterson
Founder and Product manager for Plixer's Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics.

DNS Firewall

I don’t think I’ve ever spoken with a company – at least that I can remember that didn’t have a firewall in place.  Cisco ASA (Fire Power), Palo Alto, Checkpoint and Fortinet seem to be the more popular ones.  Barracuda, SonicWALL and StormShield we hear about as well.  These systems do a relatively good job at protecting our internal jewels.  However, what I find missing in most solutions, is their ability to stop DNS tunneling and other tactics that abuse the DNS protocol.

dns firewall 

Domain Reputation

Take for example the topic of domain reputation. Our security team maintains a list of millions of known malicious domains that are updated in near real time for all of our customers.  Since the reputation of these domains is already known to be bad, we do not want internal machines reaching out to them.  Ideally, we don’t even want the DNS to respond to the client with the correct IP addresses to reach them.  

We decided to do something about this by creating a DNS firewall. Since the most popular DNS is bind, we put together some software that tells bind to compare the incoming FQDN requests to the list of millions of known bad domains that we maintain before replying to the client. 

See DNS Firewall to learn more or to contact the author for a copy of the software.

We setup the above software.  Now, when laptops and hand held devices request a domain that has a poor reputation, they are served up an IP address that won’t take them out to the internet.  Perhaps just as importantly, we report on these requests by sending them off to our IPFIX collector.  Once they are received, we can alarm on these requests and correlate the information with the flows we are receiving from the existing routers, switches, firewalls and virtual servers.  I’ll explain why we do this below.

Notice the “Dst FQDN” column in the NetFlow report below.  The FQDN outlined in red that has been obfuscated is a malicious domain that an internal user reach out to.  The end systems browser was redirected to another IP address and a message was sent to the IPFIX collector for notification about the event.

DNS as a firewall 

Visibility into Encrypted Data

The above FQDN data is collected by FlowPro Defender which exports 100% of the DNS requests to a flow collector.  As you can see above, not only is FlowPro Defender useful for identifying machines making unwanted attempts to the Internet, it also exports the FQDN requested behind every Internet IP address. As a result, even if the connection is encrypted, FlowPro Defender provides insight into traffic like Akamai, AmazonAWS, HostMonster and 100% of every DNS request!  


Need Help Setting up your DNS Firewall?

So if you are thinking about trying an Infobox firewall but, you want to first try turning your existing DNS into a firewall, contact our team.  We’ll help you get started and with FlowPro Defender,  you end up with a regularly maintained list of millions of domains with a poor reputation as well as a system for exporting meta data which can enrich the contextual details of any flow exporting device.  We believe IT should consider solutions that work with what they’ve already invested in.

Feedback for DNS Firewall

Leave a comment

Featured Events