Wednesday, August 5, 2015

Securing Your DNS

 on  with No comments 
In , ,  
There's been a lot of talk around the Internet recently about DNS. Much like SMTP traffic, it's becoming something that requires more and more attention. Between various ransomware programs that utilize various types of DNS hijacking techniques, to recent malware programs that embed communication with their Control and Command servers inside of innocent looking DNS packets, security your DNS will go a long way towards keeping your clients safe. I'm not going to discuss internal matters such as using DNSSEC to secure your zones or the relative merits of only allowing secure dynamic updates, those are topics for another (though very necessary) discussion. I'm going to focus here on measures that I'm implementing, or considering implementing, for outgoing DNS queries. This is in addition to, not as opposed to, any content filtering in your firewall that seems to accomplish the same end goal at first glance.

The first measure you can perform to clean up a lot of malware infestation is by simply changing your DNS forwarders to secure DNS servers such as OpenDNS or UltraDNS. These servers filter out a ton of known malware infested sites, instead refusing to resolve them. Imagine for a second those notorious click-happy people on your staff clicking on something in a spam email, but nothing happens. The one thing that must be taken into consideration is that both will flag a number of false positives. For example, when forwarding to UltraDNS, I find that I cannot browse to Wordpress. I must use those blogs a lot, because I noticed that right away. But in UltraDNS's favor, you wont find a faster responding DNS server on the Internet.

It's a fairly easy point-and-click job on Windows Server to implement this control. Open the DNS mmc, right click on the name of your DNS server(s) and hit properties. On the Forwarders tab, remove the forwarders that are currently there (often times you ISP provided servers) and enter the IP addresses of the servers you choose to use. You can use two OpenDNS servers, two UltraDNS servers, or even one of each. Make sure that the "Use root hints if no forwarders are available" box is checked for the unlikely case that the forwarders you choose are all offline.  Do this for all of the Windows Servers with the DNS role installed, and the equivalent process for other DNS servers in your environment. If you have many, consider having one or two forwarding to your chosen external servers and all other internal servers forwarding to that one or two servers. If the extra bandwidth of two servers doing lookups is a concern, have the second DNS server configured with the first DNS server as it's first forwarder and two offsite servers as it's second and third.

The next step might be considered a bit overkill if your environment is completely desktops, but it's definitely something to consider.  The good folks over at winhelp2002.mvps have a hosts file that you can drop into your system(s) that is much in the same spirit as forwarding to OpenDNS. The hosts file on a system is loaded into memory and evaluated before a DNS lookup, so if it's in the hosts file, no lookup will be performed. This file is updated often as new malicious URLs are detected and no longer malicious URLs are removed.  I use this file on all the computers I manage in addition to forwarding to OpenDNS in the hopes that it may catch some things that OpenDNS doesn't know about yet. On *nix systems you'll find this file at /etc/hosts and on Windows it'll be at c:\system32\drivers\etc\hosts.

And regardless of whether or not you use this or nay other customized hosts file, you need some control in place to maintain the integrity of the hosts file on every system. A lot of bad things try to put entries into this file that'll either block you from getting somewhere (such as the Malwarebytes or Kaspersky websites), or to take you to their own server when you think you're going to your bank. I'm currently working on a control that'll take a checksum of the hosts file on every system and compare it against a known good value. Whatever you do, work to prevent this file from being altered.  For laptops, the MVPs host file can go a long way towards keeping them safe when they leave the safety net of your corporate network.

Finally, in order to prevent malware that attempts to use bogus DNS packets to hide it's communication with it's C&C server, you should consider locking down outgoing DNS queries. However, the one thing that immediately comes to mind is the Network Connection Status Icon in Windows Vista and higher. this uses DNS to query a Microsoft server in order to gauge Internet connectivity, and without those DNS packets being allowed, you will get the yellow exclamation mark indicating a connection problem. There's a couple ways around this. You can disable the functionality, or you can change the URL and/or host a NCSI server yourself (steps at the same link).

On the edge firewall or router, you would allow DNS from your approved DNS server(s) to OpenDNS/UltraDNS as well as the root hints IP addresses, and then block all other outbound DNS packets. And naturally, the help desk is going to immediately start getting a ton of calls that people cant get to the Internet because there's inevitably going to be a handful of computers with or hard coded in as their DNS servers. If I had a nickel for every time this was done during troubleshooting but then wasn't undone once it was determined that it didn't help.

And one last thing. Don't forget to check the settings of network devices such as printers and NAS units. Don't give them DNS servers unless you absolutely have to, but if you do give them your onsite DNS servers. Printers and NAS units are pretty juicy targets as they are capable of aiding in an attack and aren't always given as much consideration as workstations.


Post a Comment

Discuss this post!