There are more than 150 million domains in use: as of late March 2015 there were 157.7 million active domains in use, up from 139.3 million in late March 2012, an increase of 18.4 million domains, or 13% in a very saturated market. This represents a net increase of 12,000 domains per day, although roughly an order of magnitude more domains are created and taken down each day as cybercriminals exploit the security problems in the domain registrar industry.
One of the best defenses against the problem of malicious domains is user education: getting users never to click on malicious links in phishing emails, in poisoned Web searches, and so forth. However, this is clearly not a realistic solution to the problem because users are gullible or will make mistakes and click on links that lead to malicious content, thereby infecting their computer or an entire corporate network with malware.
While ongoing training of end users can go a long way toward eliminating these consequences, the primary line of defense against malicious domain use should be a system that will prevent a user who clicks on a link from being connected to the source of the malicious content. In this scenario, the domains in the links presented to the user will be analyzed for malicious content and managed appropriately: users who click on, or directly enter valid URL’s will be presented with the content they seek, while clicking on a malicious link will result in redirection to an informational page indicating that the URL is malicious, and thus not accessible from the organization’s network as a precautionary measure against malware or other threats.
The fundamental problem with the Internet in the context of proliferating bogus domains being registered so easily and then used for criminal purposes is that there has been no practical way to block traffic to these malicious domains. While it is, of course, technically possible to block access to a domain, the lack of information about domains has made this practically impossible, except in the most obvious of cases.
How does a provider know which domains are safe to resolve and which are not? While there are millions of widely used and long-standing domains in use that are obviously valid, there are millions more that may or not may not be. For example, how would an Internet service provider know that it is safe to resolve the valid domain “acutech-consulting.com”, but that they should block the bogus domain “trilane-consulting.com”? Moreover, how will a provider know when a formerly valid domain has now been compromised and is now serving up malicious content?
What providers need, therefore, is a reliable and timely source of information about domains. A DNS Response Policy Zone (RPZ) data feed is such a service, one that provides information about domains so that providers can make informed decisions about if and how they should resolve domains that are known to be bogus or serving up malicious content.
The concept behind a DNS RPZ is conceptually similar to the real-time block lists that have been used for email delivery for more than a decade. Using these block lists, email service providers can obtain real time information about email servers and then make a decision about whether or not to accept email from servers that have been used to send spam or infected content. In the same way, a DNS RPZ publishes information about domains for the purpose of letting providers make a decision about resolving domains based on their likelihood of being unsafe for users or applications to access. In short, DNS RPZ provides the same type of capabilities for DNS resolvers that Real Time Block Lists (RBLs) provide for email servers.
An RPZ is designed to rewrite queries or response sets when domains are accessed. RPZ is a technology that leverages data feeds, and so it is the quality of the data feeds that make or break their use. Therefore, the key to effective use of the RPZ is the quality and timeliness of the data feed. The time required to detect a potentially malicious domain and update the information about it can range from 90 seconds to 24 hours. The slower the update cycle, the less useful that RPZ data feed becomes.
The Spamhaus Domain Block List (DBL), launched in 2010, currently contains information on close to 300,000 suspicious or outright malicious domains and is updated every two minutes. It is important to note that the Spamhaus DBL is an extraordinarily dynamic block list: tens of thousands of domains are added and removed from the DBL approximately every 24 hours as cybercriminals create and take down domains used in their activities. Because cybercriminals generally do not pay for domains – registering and disabling them within six hours or so by using less than highly reputable domain registrars – they are able to maintain a continual supply of new domains at low cost. Keeping up with this cybercriminal technique is what the Spamhaus DBL has been designed to do.
Somewhat related to what Spamhaus does is ThreatSTOP. The company maintains a regularly updated database of suspicious IP addresses that is used to populate firewalls with threat intelligence. When malware that may be present on corporate endpoints attempts to “phone home”, access to these IP addresses is blocked, effectively making the network behind the firewall invisible to cybercriminals. Today, ThreatSTOP supports a number of firewalls, including those from Palo Alto Networks, Check Point, Fortinet, Cisco, Juniper and a number of other vendors.
We have written a white paper on Spamhaus’ DNS RPZ technology that you can download here.