John Leyden 06 Aug 2020 at 16:07 UTC
Updated: 06 Aug 2020 at 16:08 UTC
Introducing ioc2rpz – Where Threat Intelligence Meets DNS
Security researchers have developed a tool that helps turn DNS resolution into a layer of network defense.
DNS (Domain Name System) is a service that converts human readable names to IP addresses, making it a core network protocol.
But there is also a dark side to technology. Malware strains use DNS for command and control, data exfiltration / infiltration and other nefarious purposes.
It is estimated that 80% of malware uses DNS, a factor that makes technology a great vantage point for getting visibility into all activity and a control plan to apply protection.
A response policy zone, or DNS firewall, is a technology that allows system administrators to enforce security policies over DNS. The problem is that commercial DNS firewall providers rarely allow users to generate their own feeds, while cloud-only DNS service providers do not provide feeds for on-premises DNS.
Infoblox security researchers have developed a utility – dubbed ioc2rpz – that creates an efficient pipeline for feeds.
Learn more about the latest Black Hat 2020 news.
ioc2rpz is a DNS server that automatically creates, maintains and distributes DNS firewall feeds. The service can extract threat intelligence, generate DNS firewall feeds, and distribute them to DNS servers.
These feeds can connect to any open source and commercial DNS server that supports RPZ, for example ISC BIND, PowerDNS, Infoblox, BlueCat and Efficient IP.
Vadim Pavlov, Senior Security Product Manager, Infoblox, described the benefits of the ioc2rpz service as a malware defense during a Arsenal session of the Black Hat conference yesterday (August 5).
A newly created community portal, ioc2rpz.net, allows potential users to try out several free DNS firewall feeds.
Pavlov said The daily sip. “You can turn your DNS into a layer of security and ioc2rpz can help you with that. “
A DNS firewall scans all incoming requests to see if they are listed as malicious (or prohibited) in configured flows or local zones. If there is a match, such a request can be logged, blocked, or redirected to a sinkhole, among other actions.
Pavlov concluded: “ioc2rpz is a DNS server that can pull TI [threat intelligence] from various sources (local or remote) and deliver it to your DNS server in the most efficient way (via zone transfer). ”
“DNS can easily handle millions of rules with no performance impact and can help offload your next-generation firewalls and SWGs. [Secure Web Getaways/Proxy],” he added.
READ MORE Black Hat 2020: Web Cache Poisoning Offers New Ways To Break The Web Stack