Using DNS As Malware-, Botnet-Fighting Tool

The bad guys freely abuse the Domain Name Service, and now the good guys are increasingly using it to protect themselves: OpenDNS today began offering a new feature in its enterprise DNS service that filters out malware and stops infected hosts from communicating with their command-and-control servers.

The OpenDNS Enterprise malware protection service follows a line of similar tools and cloud-based services that tap the DNS to help ferret out known bad IP addresses. Among these are the Internet Systems Consortium's (ISC) DNS Response Policy Zone, which comes in the DNS Bind 9.8.0 server platform. There also are pure cloud-based IP reputation services, such as Unveillance and ipTrust.

Paul Vixie, principal author of the pervasive BIND DNS server software and creator of several DNS standards, says security is catching up with bad guys, who have used the DNS infrastructure to spread their malware and grow their botnets.

"It's the low-hanging fruit. We haven't used it as much as the bad guys have. We have to catch up with them," says Vixie, the founder, chairman, and chief scientist at Internet Systems Consortium, the nonprofit that produces the popular BIND software for most of the world's DNS servers.

"As long as malware continues to depend on DNS, we'll be able to curtail it with tools like ISC DNS RPZ and OpenDNS Enterprise Malware Protection," ISC's Vixie says. "While I do worry about the next step in this dance where the malware stops depending so much on DNS, I do think OpenDNS is right to capitalize on malware's immediate DNS needs.

"Enterprises who continue to run their own recursive DNS servers in-house are getting similar results using DNS reputation feeds from places like SURBL and Spamhaus using the Response Policy Zone [RPZ] feature new in BIND9 as of 9.8.0."

OpenDNS added the free upgrade to its OpenDNS Enterprise recursive DNS service, blocking known malware-hosting websites and C&C servers from communicating with machines in the enterprise, using blacklists of malicious domain names and malicious or compromised IP addresses.

"We partnered with a number of well-respected security partners who do a lot of malware analysis and [have] IP reputation data and incorporated their feeds into our platform," says David Ulevitch, CEO of OpenDNS, who would not name the vendors. He says the closest offering to OpenDNS' new one is Comcast's IP reputation service, powered by Damballa, which notifies users of bot-infected machines.

He says the service is unlike traditional anti-malware services that focus on stopping malware, but don't do much to mitigate the damage it incurs when it gets through and infects a machine. The new service could work side-by-side with DNSSEC as well, he says.

Renowned researcher and DNSSEC expert Dan Kaminsky concurs. "Botnets are a pernicious problem, one that's getting worse every day. I see no conflict with DNSSEC, despite the use of filtering, for two reasons: First, it's not like users are clamoring to phone home to botnet command-and-control systems. So there's no actions we can expect that will cause further problems. Second, and more ominously, a botnet-infected host is under such control of an attacker that DNSSEC is too late; any security offered to the user can only be a best effort as there is attacker code always at the ready to interfere," he says. "I'm happy to see OpenDNS make that effort."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.