Saturday, October 1, 2016

Filtered DNS

 on  with No comments 
In , ,  
I've talked about DNS Security in the past.  This is becoming a bigger deal as time goes on as more and more malware finds new and creative ways of exploiting DNS to deliver or execute it's payload.  Whether it's DNS hijacking to force your browser to visit pages you really don't want to visit, or embedding command and control messages within what appear to be legitimate DNS packets, we need to pay close attention to DNS within our networks.

As I stated in the previous post, I've gone overboard at home, just because it's a personal interest of mine.  I have two domain controllers running Active Directory, both of which perform DNS duties for my network (don't we all have AD running at home?).   DC1 is set to forward queries to a series of third party DNS servers.  First on the list is two OpenDNS servers, followed by two UltraDNS servers.  If all four of those are unavailable, then it'll use root hints.  DC2 is configured to first try DC1, then OpenDNS, then UltraDNS and finally root hints if all those are unavailable.  All hosts on the network have DC1 and DC2 as it's DNS servers.  And finally, outbound DNS queries are blocked for all hosts except for DC1 and DC2 at the firewall.
I have also used the custom hosts file mentioned in the DNS Security blog post in the past.  But without a good means of deploying it around at home, I've stopped downloading and installing it.  In my previous job, I had a script running on a management server to download an updated copy each month and deploy it to every host that is managed by the company.  Try it out if you only have a host or two that would need it.  It may catch a few things that are missed by the filtering DNS server you choose and vice versa.

So what are these third party DNS servers and why would one want to use them?   The DNS servers provided by your ISP are generally "good enough," and Google's public DNS servers are definitely good enough if your ISP's aren't, right?  I have used Google's servers in the past, especially when my ISP who shall remain nameless would have DNS servers go down for an extended period once or twice a day.  The reason I go with OpenDNS now is because Google and my ISP are straight forward DNS servers.  They provide no filtering or other methods of security.  If that is what you want, Google is a fast and accurate DNS server.

A filtering DNS Server, such as OpenDNS (recently bought out by Cisco) or UltraDNS provides you with an additional layer of security by filtering out things you don't want.  For example, if a website has been flagged as hosting drive-by download malware, it will either simply return not found, as if there was no record for that FQDN in the global DNS hierarchy, or it will resolve to a custom web page informing the user that it has been blocked and why.   In addition, they may provide users with ad blocking and typo protection (redirecting you to google.com when you accidentally typed googel.com).  While no service is perfect, these DNS servers filter out a ton of bad stuff.  It's all about defense in depth, so any additional security control you can add for free (in terms of cost and computer resources) is always a good thing.

So let's talk about each of these filtering DNS servers and see which one may be right for you.  In the interest of full disclosure, I haven't personally used all of these services, so take my word with a grain of salt.  But a little information will go a long way in insuring that you don't look like the user "Michael" in the comments on an article posted at The Geeky Globe recommending that users report OpenDNS to the FBI for blocking websites.  Yes, a filtering DNS server will filter out some sites.  I'd be willing to bet he's a botnet operator who is losing bots due to OpenDNS's protection. But either way, the comment was humorous.  Let's report a company who is providing a service that does exactly what we wanted it to do.

The first one I'm going to discuss is OpenDNS, now part of the Cisco security portfolio.  OpenDNS provides a number of different services, one of which is Enhanced DNS, or what we're talking about here.   This service is free for personal and business use.  In addition, home users can use OpenDNS Family, which adds filtering for adult content.  There is also OpenDNS Home, which is free for home users and offers customizable filtering such as user definable white-lists and black-lists.  And of course there is OpenDNS Umbrella, which is a highly configurable offering for enterprise networks.  Different services are utilized by changing the IP address used.  In my experience, OpenDNS provides fast DNS resolution with a minimal number of false positives being blocked.

Next is DNS Advantage.  DNS Advantage is provided by Neustar, which offers a range of security services.   DNS Advantage is their free offering, while the well-known UltraDNS is their commercial offering.  I've used DNS Advantage before.  Their DNS resolution appeared to be the fastest based on the eyeball test at the time, but I found that they just block too much.  A ton of top hits for Google searches were blogs hosted at Wordpress, and it seemed that the entire domain was blocked.  That was a while ago, and I'm sure things have changed, so your mileage may vary.

Dyn Internet Guide is freely available for personal or business use.  Dyn provides malware and phishing blocking as well as typo correction.  Dyn also offers a number of commercial services including authoritative DNS servers for domain owners.  One of the nice features is that their page informing the user that the site has been blocked gives the user the option to still visit the site if they feel the block is in error.  Dyn also has their own take on the standard 404 page not found error page, providing the user a more aesthetic page with search options to assist with finding what they were looking for.  I've never used Dyn, so I cannot comment on what is and isn't being blocked.

Next up is a service that was new to me when I started researching this post.  FoolDNS is free for personal and business use, and is targeted towards the home and small business user.   Their focus is blocking tracking, profiling and advertising, while also blocking a number of malware and phishing sites.  Business packages add unsafe domain filtering and additional reporting.

GreenTeam Internet, another new one to me, is free for personal and commercial use.  It is configured to block malware and phishing sites, ads, adult content as well as violence and drug related content.  Blocked sites will result in a simple landing page with an option to report what the user believes to be a false positive, while non-existent pages are not touched, so the browser will display the standard 404 error.  Commercial services are available with additional features and customizable options.

Now that we've gone over the services and their basic features, let's talk about what's really important in a DNS server.  DNS resolution speed.  I ran benchmarks on all of the above mentioned servers, and compared those numbers to my two local DNS servers.  My local servers are both Active Directory domain controllers, one installed on the bare metal, and the other installed in a virtual machine hosted on VMware ESXi.  I used GRC's Domain Name Server Benchmark tool to gather the data.  For a comparison point, I've included the results for Google's public DNS servers as those are commonly used by many.

If results for a DNS Server are not listed here, the server did not respond, most likely because I'm not signed up for their service.  First I present a table, followed by the raw data.  As expected, the local DNS servers did the best, more than twice the speed of the next best server.  What I didn't expect however, is the VM running Server 2016 Technical Preview 5 to out perform the bare metal server running Server 2012 R2.  Not only is dc2 a VM, it is a router hop away from the host running the benchmark.


ProviderIPUsageBenchmark
Personal Server dc2N/A0.009 
Personal Server dc3N/A0.010 
Google8.8.8.4Unsure0.036 
Google8.8.8.8Unsure0.041 
DNS Advantage156.154.70.1Personal or Business0.028 
DNS Advantage156.154.71.1Personal or Business0.046 
OpenDNS Enhanced208.67.220.220Personal or Business0.025 
OpenDNS Enhanced208.67.222.222Personal or Business0.025 
OpenDNS FamilyShield208.67.222.123Personal or Business0.026 
OpenDNS FamilyShield208.67.220.123Personal or Business0.026 
Comodo SecureDNS 2.08.26.56.26Personal Use Only0.044 
Comodo SecureDNS 2.08.20.247.20Personal Use Only0.044 
Dyn Internet Guide216.146.35.35Personal or Business0.030 
dyn Internet Guide216.146.36.36Personal or Business0.031 
FoolDNS87.118.111.215Personal or BusinessN/A
FoolDNS213.187.11.62Personal or BusinessN/A
GreenTeam Internet81.218.119.11Personal or BusinessN/A
GreenTeam Internet209.88.198.133Personal or BusinessN/A
Norton ConnectSafe Security199.85.126.10Personal Use Only0.036 
Norton ConnectSafe Security199.87.127.10Personal Use OnlyN/A
Norton ConnectSafe Security + Porn199.85.126.20Personal Use Only0.034 
Norton ConnectSafe Security + Porn199.85.127.20Personal Use Only0.026 
Norton ConnectSafe Security + Porn + Other199.85.126.30Personal Use Only0.035 
Norton ConnectSafe Security + Porn + Other199.85.127.30Personal Use Only0.029 

  192.168.xxx.xxx |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|

  ----------------+-------+-------+-------+-------+-------+
  + Cached Name   | 0.001 | 0.009 | 0.068 | 0.014 | 100.0 |
  + Uncached Name | 0.026 | 0.117 | 0.537 | 0.117 | 100.0 |
  + DotCom Lookup | 0.026 | 0.072 | 0.171 | 0.036 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
                 fdc2.firewallninja.info
                Local Network Nameserver


  192.168.xxx.xxx |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  + Cached Name   | 0.001 | 0.010 | 0.031 | 0.011 | 100.0 |
  + Uncached Name | 0.023 | 0.112 | 0.544 | 0.119 | 100.0 |
  + DotCom Lookup | 0.024 | 0.078 | 0.195 | 0.052 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
                 fdc3.firewallninja.info
                Local Network Nameserver


  208. 67.222.222 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.018 | 0.025 | 0.032 | 0.003 | 100.0 |
  - Uncached Name | 0.025 | 0.105 | 0.463 | 0.104 | 100.0 |
  - DotCom Lookup | 0.020 | 0.080 | 0.244 | 0.054 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
                  resolver1.opendns.com
               OPENDNS - OpenDNS, LLC, US


  208. 67.220.220 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.019 | 0.025 | 0.052 | 0.005 | 100.0 |
  - Uncached Name | 0.021 | 0.110 | 0.491 | 0.113 | 100.0 |
  - DotCom Lookup | 0.023 | 0.076 | 0.186 | 0.048 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
                  resolver2.opendns.com
               OPENDNS - OpenDNS, LLC, US


  199. 85.127. 20 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.022 | 0.026 | 0.033 | 0.002 | 100.0 |
  - Uncached Name | 0.025 | 0.075 | 0.237 | 0.058 | 100.0 |
  - DotCom Lookup | 0.045 | 0.061 | 0.095 | 0.017 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
          ··· no official Internet DNS name ···
              ULTRADNS - NeuStar, Inc., US


  208. 67.222.123 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.019 | 0.026 | 0.042 | 0.004 | 100.0 |
  - Uncached Name | 0.020 | 0.108 | 0.466 | 0.108 | 100.0 |
  - DotCom Lookup | 0.020 | 0.090 | 0.189 | 0.056 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
                resolver1-fs.opendns.com
               OPENDNS - OpenDNS, LLC, US


  208. 67.220.123 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.021 | 0.026 | 0.038 | 0.004 | 100.0 |
  - Uncached Name | 0.022 | 0.110 | 0.502 | 0.121 | 100.0 |
  - DotCom Lookup | 0.021 | 0.078 | 0.190 | 0.055 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
                resolver2-fs.opendns.com
               OPENDNS - OpenDNS, LLC, US


  156.154. 70.  1 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.023 | 0.028 | 0.036 | 0.003 | 100.0 |
  - Uncached Name | 0.024 | 0.075 | 0.247 | 0.059 |  98.0 |
  - DotCom Lookup | 0.045 | 0.060 | 0.091 | 0.016 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
                   rdns1.ultradns.net
              ULTRADNS - NeuStar, Inc., US


  199. 85.127. 30 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.023 | 0.029 | 0.041 | 0.004 | 100.0 |
  - Uncached Name | 0.026 | 0.073 | 0.312 | 0.063 | 100.0 |
  - DotCom Lookup | 0.047 | 0.067 | 0.098 | 0.020 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
          ··· no official Internet DNS name ···
              ULTRADNS - NeuStar, Inc., US


  216.146. 35. 35 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.019 | 0.030 | 0.107 | 0.015 | 100.0 |
  - Uncached Name | 0.025 | 0.076 | 0.282 | 0.070 | 100.0 |
  - DotCom Lookup | 0.020 | 0.044 | 0.090 | 0.019 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
            resolver1.dyndnsinternetguide.com
       DYNDNS - Dynamic Network Services, Inc., US


  216.146. 36. 36 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.026 | 0.031 | 0.042 | 0.003 |  98.0 |
  - Uncached Name | 0.029 | 0.093 | 0.295 | 0.070 |  97.9 |
  - DotCom Lookup | 0.026 | 0.064 | 0.157 | 0.034 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
            resolver2.dyndnsinternetguide.com
       DYNDNS - Dynamic Network Services, Inc., US


  199. 85.126. 20 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.030 | 0.034 | 0.048 | 0.003 | 100.0 |
  - Uncached Name | 0.033 | 0.093 | 0.300 | 0.079 | 100.0 |
  - DotCom Lookup | 0.029 | 0.045 | 0.068 | 0.013 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
          ··· no official Internet DNS name ···
              ULTRADNS - NeuStar, Inc., US


  199. 85.126. 30 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.030 | 0.035 | 0.049 | 0.004 | 100.0 |
  - Uncached Name | 0.031 | 0.093 | 0.282 | 0.075 | 100.0 |
  - DotCom Lookup | 0.029 | 0.045 | 0.129 | 0.021 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
          ··· no official Internet DNS name ···
              ULTRADNS - NeuStar, Inc., US


  156.154. 71.  1 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.030 | 0.035 | 0.046 | 0.003 |  98.0 |
  - Uncached Name | 0.034 | 0.096 | 0.277 | 0.074 | 100.0 |
  - DotCom Lookup | 0.029 | 0.044 | 0.128 | 0.017 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
                   rdns2.ultradns.net
              ULTRADNS - NeuStar, Inc., US


  199. 85.126. 10 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.030 | 0.036 | 0.054 | 0.005 | 100.0 |
  - Uncached Name | 0.032 | 0.090 | 0.281 | 0.064 | 100.0 |
  - DotCom Lookup | 0.029 | 0.055 | 0.134 | 0.027 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
          ··· no official Internet DNS name ···
              ULTRADNS - NeuStar, Inc., US


 8.  8.  4.  4 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.029 | 0.036 | 0.062 | 0.007 | 100.0 |
  - Uncached Name | 0.034 | 0.070 | 0.253 | 0.047 | 100.0 |
  - DotCom Lookup | 0.042 | 0.062 | 0.154 | 0.027 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
             google-public-dns-b.google.com
              ... determining ownership ...


    8.  8.  8.  8 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.033 | 0.041 | 0.084 | 0.010 | 100.0 |
  - Uncached Name | 0.033 | 0.080 | 0.254 | 0.054 | 100.0 |
  - DotCom Lookup | 0.042 | 0.053 | 0.098 | 0.013 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
             google-public-dns-a.google.com
                GOOGLE - Google Inc., US


    8. 26. 56. 26 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.039 | 0.044 | 0.054 | 0.004 | 100.0 |
  - Uncached Name | 0.040 | 0.106 | 0.303 | 0.065 | 100.0 |
  - DotCom Lookup | 0.043 | 0.075 | 0.113 | 0.021 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
              ns1.recursive.dnsbycomodo.com
                    -Reserved AS-, ZZ


    8. 20.247. 20 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.038 | 0.044 | 0.064 | 0.006 | 100.0 |
  - Uncached Name | 0.039 | 0.108 | 0.364 | 0.075 | 100.0 |
  - DotCom Lookup | 0.042 | 0.077 | 0.140 | 0.025 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
              ns2.recursive.dnsbycomodo.com
                    -Reserved AS-, ZZ
Share:

0 comments:

Post a Comment

Discuss this post!