Presentation by Suman Kumar Saha at APRICOT 2019 on Wednesday, 27 February 2019.

1. All Rights Reserved © 2019
Suman Kumar Saha
AmberIT Limited
suman@amberit.com.bd
Allan Watanabe
PIPELINE Security
www.pipelinesecurity.net

2. Safe Internet for ‘ALL’
Started brainstorming to find a suitable way to provide
a secure internet to all of our users:
Considerations: Easy implementation without deploying
any hardware or without any change in CPE devices.
Possible ways:
• Router ACLs
• Web proxy filter
• Content-aware firewall
• DNS Response Policy Zone (RPZ)

3. DNS Response Policy Zone
● Over 91% percent malware uses DNS(As Cisco 2016
Annual Cyber security report)
● Nearly all the cryptominer stuffs uses DNS based C&C(As
Cisco 2016 Annual Cyber security report)
● RPZ allows a recursive server to control the behavior of
responses to queries.
● Administrator to overlay custom information on
top of the global DNS to provide alternate responses to
queries.
● RPZ data is supplied as a DNS zone, and can be
loaded from a file or retrieved over the network by AXFR/IXFR.
● It works like firewall on cloud.
● DNS RPZ will block DNS resolution, machines connecting to the
C&C via IP address will not be blocked.

4. DNS Response Policy Zone(RPZ)
● “DNS Firewall gives you the most bang for your buck” -Paul Vixie
● Reputation data is packaged into Response Policy Zones (RPZs)
● RPZ include both the filter criteria, and a response policy action
● BIND evaluates whether its response matches a filter in
the RPZ and applies the policy specified
● RFC: https://tools.ietf.org/html/draft-ietf-dnsop-dns-rpz-00

5. Core DNS Principles
Master/
Primary
DNS
Slave/
Secondary
DNS
Caching
Resolver
DNS
.org
bdnog.org
www.bdnog.org
AXFR
TSIG
IXFR
TSIG
AXFR - Full Zone Transfers
IXFR - Incremental Zone Transfers
TSIG - Transaction SIGnature
used to secure the AXFR/IXFR
What is the IP for
www.bdnog.org?
Who is in charge of
www.bdnog.org?
www.bdnog.org is 202.4.96.213
.root

6. .org
bdnog.o rg
.root
DNS RPZ
Master DNS
RPZ Feed
AXF
R
IXFR
What is the IP for
www.bdnog.org?
Who is in charge of bdnog.org?
www.bdnog.org
www.bdnog.org is 202.4.96.213
RPZ
Caching
Resolver
DNS
* RPZ capability on the
DNS Cashing Resolver
allows zone transfers to
be pushed out in seconds.
Security Company

7. DNS RPZ in Action
Master DNS
RPZ Feed
RPZ
Caching
Resolver
DNS
AXFR
IXFR
What is the IP for
badguys.com?
badguys.com
To find the
bad guysSecurity Company
What is the IP for
badguys.com?
SPAM
Computer
looks up
Xyzbadness
. com

8. How is DNS RPZ Different?
Master DNS
RPZ Feed
RPZ
Caching
Resolver
DNS
AXFR
IXFR
Security Company
DNS
RBL
Some RBL User
Update zone
files
Query Every
time

9. How is DNS RPZ Different?
• DNS RPZ allows for multiple feeds.
• Allows for industry incident feeds.
• Allows for local incident management
feeds.
Resolver DNS
RPZ Zone Files
RPZ Feed
Malware
RPZ Feed
C&C Hosts
OPSEC
InfoSec

10. Components of the Criminal Cloud
● Spam Botnet
● Command & Control
● Drive-by Domains
● Malware
● Secondary Malware
● Proxy
● Payment Processors
● Mule Operations
● Packer
● TLD Domain
● Name Servers
Mirai
Avalanche
Blackhole
Zeus
Cryptojackers
Passwords
Ransomware
Malware
Rootkit
Call home

11. Malicious Redirects
E-commerce / Payments
Security Updates
Legitimate Abused
antvirus.updates.com

12. Scanning, Worming, & Spreading
Bot Herder
Email
SMS
SNS
Vulnerable
Malicious
Infected
Devices
DNS
C&C Botnet
Step 1
Step 2
Step 3

13. We can see the bot
herders traffic.
Domains are known to be malicious!
&
/
DNS

14. DNS RPZ would have stopped this attack!
With RPZ you can detect, alert,
block, and protect users.
&
/
DNS
rpz NSDNAME NXDOMAIN rewrite ns1.apple.com
rpz QNAME NXDOMAIN rewrite botnet.com
rpz QNAME NXDOMAIN rewrite malciousdomain.com

15. Real Sample today

16. Possible Uses Examples
• Enterprise : Detect and stop malicious activities.
• ISP : Investigate infected customer hosts.
• SOC : Alert SOC team about malicious access
• OEM : Protect IoT devices
• ALL : Detect and sanitize your networks

17. RPZ supported DNS Applications
RPZ is native in several of the industry’s leading DNS platforms,
including:
● BIND V9.8 (or greater)
● Power DNS recursor
Numerous appliance vendors have enabled RPZ as well, including:
● Infoblox
● Efficient IP
● Bluecoat
and many more

18. RPZ Rule
Let’s we want to rewrite any DNS queries for a
specific hostname, but allow lookups to the domain
and other hosts in that domain:
host.filter.com IN CNAME .
This result in an NXDOMAIN (Non existence) response
for a query for “host.filter.com”

19. Response Policy Triggers
The rules in a Response Policy Zone consist of triggers or
filters that identify what responses to modify, and policy
actions to apply to these responses. Each rule can use one of
five policy triggers and specify one of eight policy actions.
QNAME RPZ-IP RPZ-NSDNAME
RPZ-CLIENT-IPRPZ-NSIP

20. Response Policy Actions
GIVEN
CNAME
TCP-ONLY
DROP
PASSTHROUGH
NXDOMAIN
DISABLED
NODATA
Is the default action and define no overrides
Name exists but there are no records of the requested
type
To redirect the user with a CNAME to a walled garden.
Forces the resolver to use TCP for the query.
Drop the query without any response to the client.
Exempt the response from further policy processing.
Domain does not exist.Most common policy used.
All Policy Actions for this zone are disabled but all items are logged

21. RPZ Logging
Since we’re running RPZ, we definitely want to log
any RPZ rewrites. To do that, we need to set up two
things under the “logging” header.
channel rpzlog {
file "rpz.log" versions unlimited size 1000m; print-time yes;
print-category yes;
print-severity yes;
severity info; };
category rpz { rpzlog;
};

22. Before Implementation
● At first implement on logging mode for at least for a
week
● Restricted RPZ recursive server to use within the
ACL
● Restricted users from using other recursive resolver
servers
● Redirected DNS traffic to DNA RPZ recursive
resolver (That’s important to bring users in safety
net)

23. RPZ Feed Providers
● Spamhaus
● Deteque
● PIPELINE Security
● Farsight security
● SURBL
● Threat Stop

24. DNS Firewall: Implementation Case Study in an ISP
● Implemented RPZ in Amber IT that is one of the Major ISP in Bangladesh.
● Using RPZ feed from Spamhaus Deteque through Pipeline Security ,Japan.
● Used with BIND 9.11.3 Extended Support Version(ESV).
● Also tested with Powerdns recursor.
● Redirected all DNS recursive request from PoP routers to DNS RPZ enabled
recursive name server to avoid adding new DNS server on every CPE.
● Added forwarder in current recursive DNS and forwarded all the recursive
request to RPZ enabled name server.
● Used as RPZ passthrough

25. Resources used for the implementation
And one System Admin to cook those things
One server for Bind LXD Container with Ubuntu 18.04
vCPU:8 cores,Memory : 8GB,Storage:100GB
Second server ELK stack for
data visualization.
LXD Container with Ubuntu 18.04
vCPU:4 cores,Memory : 4GB,Storage:100GB
RPZ zones Data feed from
RPZ feed provider
Any feed provider you can test free for one
month .We have used from
Spamhaus/deteque.

26. Simple Installation:Bind
Required time : Not more than 60 minutes
From Bind 9.8 Bind is compatible and comes with RPZ support.
For this case we have used ubuntu 18.04LTS.
Installed bind with apt and no special patches needed for RPZ.

27. Simple Installation:Adding RPZ zones
Following RPZ zones were added at the end of the /etc/bind/named.conf.options using the response-
policy.Bind currently has a 32 zone limit
response-policy {
zone "rpz.local";
### 11 Standard Feeds
zone "adware.host.dtq" policy passthru;
zone "badrep.host.dtq" policy passthru;
zone "bad-nameservers.ip.dtq" policy passthru ;
zone "bad-nameservers.host.dtq" policy passthru;
zone "bogons.ip.dtq";
zone "botnetcc.host.dtq";
zone "botnet.host.dtq" policy passthru;
zone "botnetcc.ip.dtq" policy passthru;
zone "dga.host.dtq" policy passthru;
zone "malware.host.dtq";
zone "phish.host.dtq" policy passthru;
### Edited Feeds
zone "adware.edit.host.dtq";
zone "badrep.edit.host.dtq";
zone "botnetcc.edit.host.dtq";
zone "botnet.edit.host.dtq";
zone "malware.edit.host.dtq";
zone "phish.edit.host.dtq";
### Premium Feeds
zone "zrd.host.dtq";
### Free Feeds
zone "drop.ips.dtq" policy passthru;
### Service Feeds
zone "coinblock.srv";
zone "torblock.srv" policy passthru;
};

28. Simple Installation:Get RPZ data from provider
RPZ zones will be downloaded from feed provided as a slave
zone.
zone "malware.edit.host.dtq" {
type slave;
file "dbx.malware.edit.host.dtq";
masters {199.168.xx.xx;199.168.xx.xx;199.168.xx.xx; };
allow-transfer { none; };
};

29. Simple Installation:RPZ Incident Log
Since we’re running RPZ, we definitely want to log any RPZ rewrites. To do
that, we need to set up two things under the “logging” header.
Add the RPZ log in /etc/bind/named.conf
logging {
channel null {
null; };
channel bindlog {
file "bind.log";
print-time yes;
print-category yes;
print-severity yes;
severity info;
};

30. Bind Installation:Generating Log
channel rpzlog {
file "rpz.log" versions unlimited size 1000m; print-time yes;
print-category yes; print-severity yes;
severity info;};
category config { bindlog; };category xfer-in { bindlog; };category xfer-
out { bindlog; }; category network { bindlog; };category update {
bindlog; };category update-security { bindlog; }; category
delegation-only { bindlog; };
category rpz { rpzlog; };
};

31. RPZ Logs
RPZ log take logs the queries to RPZ zones.
● The threat source IP
● destination of the for threat
● Categorization of the threat
27-Feb-2019 03:21:15.920 rpz: info: client @0x7f87f4094f60
118.179.89.xxx#60543 (qpxrg.com): rpz QNAME NXDOMAIN rewrite
qpxrg.com via qpxrg.com.malware.host.dtq

32. Whitelisting
● rpz.local placed in top among the RPZ zones for custom
configuration in bind.
● On any false positive or on any issue we can whitelist a
domain or IP or client IP if require.
Some source/domains/IP whitelisted on user requirement :
32.xx.19x.179.118.rpz-ip IN CNAME rpz-passthru.
32.xx.19x.179.118.rpz-client-ip IN CNAME rpz-passthru.
32.xx.19x.179.118.rpz-nsip IN CNAME rpz-passthru.
binance.com CNAME rpz-passthru.
*.binance.com CNAME rpz-passthru.
cryptonator.com CNAME rpz-passthru.
*.cryptonator.com CNAME rpz-passthru.

33. Monitoring Incidents with The ELK stack
The ELK stack is a collection of three open source tools -
Elasticsearch + Logstash + Kibana

34. Monitoring Incidents with ELK stack
● Logs: Server logs that need to be analyzed are identified
● Logstash: Collect logs and events data. It even parses and
transforms data
● ElasticSearch: The transformed data from Logstash is Store,
Search, and indexed.
● Kibana: Kibana uses Elasticsearch DB to Explore, Visualize, and
Share
● Beats: Use to transport logs to the ELK stack

35. Day 1 - Over 1.3M Queries to RPZ Zones

36. Day 1 - Top 5 Results

37. RPZ logs from Various Nodes

38. Top Categories of threats

39. Top Catagories of threats

40. Top threats by Hostname

41. hosted by DNS of a malicious domain (coppersurfer.tk)
0--0.ml
0-00.ml
0-21.tk
000-daviotek.tk
000-default.tk
000000.ga
0002.tk
000web.tk
0010.ga
00gg.tk
00up.cf
0101.tk
0111.gq
022gay.com
028video.gq
02reg.tk
03essay.cf
0443622812.ga
05291123.tk
0599.tk
0815netz.tk
0900alternatieven.co
m
091617.cf
0ang3el.ml
0jav.cf
0jav.ga
0network.tk
0nlyyou.tk

42. Vulnerable Nodes with potential treats

43. Deep Dive in a incident:pubyun.com
pubyun.com was one of the top destination from monitoring and DNS
RPZ filtered the traffic.
A news from 2012 .But still it is active in the live network.
https://www.techinasia.com/microsoft-lawsuit-chinese-malware
It is also in the Sophos malaware analysis
https://www.sophos.com/en-us/threat-
center/threat-analyses/viruses-and-
spyware/Troj~MSIL-DXC/detailed-analysis.aspx

44. Deep dive in a incident:pubyun.com
https://www.joesandbox.com/analysis/37219/0/executive
Pubyun.com actually a hosting provider before that they operated as 3322.org
that hosted many malwares ,cryptomiers and used for malicious activities.Here is
a sample of malware that used pubyun.com.

45. Top malware destinations from infected nodes

46. RPZ Incident monitoring dashboard with Kibana

47. Resources
https://www.slideshare.net/BarryRGreene/binds-new-
security-feature-dnsrpz-the-quotdns-firewallquot
https://www.deteque.com/app/uploads/2018/04/Spamhau
s-DNS-RPZ-DROP-Setup-v.2.pdf
https://www.netcon-consulting.com

48. All Rights Reserved © 2019
Suman Kumar Saha
AmberIT Limited
suman@amberit.com.bd
Allan Watanabe
PIPELINE Security
www.pipelinesecurity.jp
THANK YOU!