The DNS system, which is a sort of directory of the Internet, has long been plagued by malicious domains. Its administrators – the registrars – have little hope of discovering an effective remedy for such abuse. ESET introduces protective technology to combat Given by problem.
The Domain Name System (DNS) has been used since the early 1980s to look up the IP addresses of domain names, which are now most commonly entered into the address bar of browsers, but which are also widely queried by applications. Most Internet users probably don’t even notice the work that DNS does, even though almost all of our Internet activity starts with a DNS lookup. Monitoring DNS lookups can provide a comprehensive view of communications across devices and is a critical part of security controls.
Filtering malicious and suspicious domains is a constant battle to maintain protection. Ideally, malicious domains would not be registered at all, or at least would be detected quickly, and the problem would then be solved by removing them, blocking access to them, or redirecting communications away from them (sinkholes). However, registering a new or recycled domain name under a fake identity is a quick, easy and cheap process, allowing for the immediate spread of various threats.
Malicious domains as a thriving industry
The danger is not just in mistyping a domain name and accidentally navigating to a malicious site that exploits common typos in domain names (typosquatting). Attackers can mass-register new malicious domains for large-scale phishing campaigns, or use homographic attacks that only the most cautious can resist. Compromised devices can connect to command and control servers that oversee botnets to issue the next malicious command. The malware can steal data and send it to a malicious domain.
A particular problem arises when legitimate domains are compromised and put on block lists as malicious. Operators of such domains must disclose the source of the compromise and request their removal from all blocked domain lists. This scenario often occurs when hosting service providers that detect malicious activity automatically suspend client accounts. On the other hand, there are also providers who turn a blind eye to malicious or illegal use of their services, providing a safe haven for potential and professional criminals.
According to Verisign, which manages the .com and .net top-level domain (TLD) infrastructure, 341.7 million new domain names were registered in the fourth quarter of 2021 in all top-level domains except .tk (Tokelau), .cf (Central African Republic), .ga (Gabon), .gq (Equatorial Guinea) and .ml (Mali), which are operated by Freenom, due to a lack of verifiable data. With an average of more than 3.7 million new domains registered every day that need to be analysed for malicious behaviour, as well as existing domains that may have already been compromised or will only become malicious later, the need for effective technological solutions to address this threat vector is of paramount importance.
The economic side of domains
According to several analyses conducted over the years –[1],[2] and[3] – the five top-level domains operated by Freen are among the most frequently exploited domains for phishing and malware distribution because registering a new domain is free. This reveals how favourable the situation is for attackers from an economic point of view.
Millions of domains can come and go every day because the people who register them bear almost no responsibility or cost. Each registrar sets its own rules, and it is easy to find those who take a lax approach to verifying registrants’ identities and addresses and charge almost no fees to register domains. Sometimes they even make APIs available to allow automated registration of large numbers of domains.
Although the WHOIS protocol has been developed to allow easy searches of registrants’ identities and addresses in registrar databases, several obstacles hinder the identification of malicious registrants. Some registrars offer a privacy service under which they do not provide registrant information. Some local privacy laws even mandate such confidentiality. Even worse, in the case of explicitly malicious domains, any personally identifiable information that might be available through a WHOIS query is likely to be false. Even the credit card used to pay for the registration of these domains is first stolen. Contacting the registrar to remove the malicious domain may take several days, but criminals can continue their malicious campaigns with new domain names in just a few minutes.
Filtering network communications to ensure security
The IT sector’s response to DNS abuse has been to create automated systems that continuously analyse domains for malicious behaviour and create lists of blocked domains. These lists are then linked to various security products and threat intelligence sources to better decide which connections to specific domains will be allowed. For example, ESET’s anti-phishing database of security products is updated every 20 minutes, so customers are also protected from the latest phishing websites.
Filtering network communications according to blocked domain lists is not unknown among Internet Service Providers (ISPs) and network administrators. In fact, it’s a task that firewalls have been performing since the mid-1980s: they parse incoming packets, check IP addresses, domain names, protocols and port numbers, and if there’s a match to a block list, something suspicious, or a communication that the firewall administrators have banned, the traffic is blocked or the user is alerted.
When properly configured, firewalls on the network and on endpoint devices can be effective because they work in both directions, preventing attackers from both outside and inside from sending packets to and from networks and devices. This limits the spread of malicious packets and the leakage of confidential data, regardless of direction or source. The DNS firewall works a little differently, allowing DNS lookups and overwriting responses marked as malicious or otherwise unwanted with “not found” or “access denied” messages.
DNS filtering requires collaboration
The use of firewalls and block lists to prevent access to malicious domains can in some ways create a false sense of security. Even with persistent efforts, there is almost always some loophole to bypass firewall filters, usually through a virtual private network (VPN) or the Tor browser. Since the DNS firewall is tied to a DNS server, all you need to do to bypass its filters is to change the DNS server you are using. Although it is possible to use your own DNS server and filters at home or locally, many Internet users are likely to settle for the default DNS server and filters from their ISP. A simple search for “public DNS servers” in a search engine will turn up a number of popular free and paid alternatives, some of which offer varying levels of protection against phishing sites and malware.
This means that the effective use of a DNS filtering solution depends critically on the willingness of Internet users to join forces with their chosen DNS provider and choose not to bypass the protection offered.
PDNS with ESET NetProtect
The need to improve DNS security has led to the introduction of PDNS (Protective DNS) in some places – this abbreviation refers to DNS filtering. For example, starting in 2020, US Department of Defense contractors must be CMMC (Cybersecurity Maturity Model Certification) certified, which, among other requirements, stipulates that DNS filtering must achieve Level 3 out of five levels. In addition, in late 2021, the U.S. Department of Defense launched CMMC 2.0, with DNS filtering linking still pending.
There are many vendors in the PDNS market offering DNS filtering with different levels of domain information feed quality and accompanying security services. ESET’s unique contribution lies in the threat data shared by millions of customers around the world who use ESET security products. With 35 years of experience in delivering IT security, as well as developing and fine-tuning in-house systems to deliver high quality domain feeds for DNS filtering, ESET can offer ISPs and home security administrators a distinctive source of protection.
Maybe you’re an ISP looking to compete for government contracts, or you want to protect your own network or provide security services to your customers. Or maybe you’re a regular user looking for security that’s better than what your ISP offers, and that can easily be extended to all users and guests on your home network. Whatever your case, learning about the filtering options for your DNS server and who you trust with DNS security is an important step in resisting the multitude of malicious domains proliferating on the Internet.
ESET NetProtect is a DNS filtering solution available for home users from ISPs that have partnered with ESET. The solution can detect and block domains that spread malware, are used for phishing, have a questionable reputation or offer potentially unwanted content. ESET NetProtect also offers customers a configurable 35-category web content filter that allows blocking content by age group.For more information on how ESET NetProtect interfaces with ISP services, please visit our product page.
