Turn your network’s DNS into a Security Tool!
What do you do if the security tools are not protecting your network?
Cyber-criminals are constantly finding ways to bypass your security
tools and own your network. When the threat changes, you should grow
with the threat - think out of the box – using tools that the criminals
have not yet considered; the DNS.
ISC’s Internet Critical Open Source DNS software BIND has a new
feature that would turn a DNS Caching Resolver into a tool to help
protect your network from malware. All the computers in your network
must contact your DNS Resolvers to get to the outside world. Your DNS
Resolvers are critical “choke-point” for which all devices in your
network must interact to get to the outside world. This "choke-point" is
a logical choice to put security capabilities to check if a domain is
"clean" or "dirty."
How can you have your DNS Resolver check if a domain is clean or dirty? Use BIND’s new feature – the DNS Response Policy Zone (DNSRPZ).
DNSRPZ uses secure and fast zone transfer technologies to pull down
black list of bad domains and put them into your DNS resolver.
Who should watch this Webinar?
E-mail Administrators: Find out how DNSRPZ offers more effective way to work with the Anti-Spam black list.
Network Operators: Learn how DNSRPZ can be used
inside your network to keep your users from being in-inadvertently
infected by malware, zero-days, and malvertisements.
Security Engineers: Discover how DNSRPZ is a tool to
help contain infections that get into your network and try to “call
home” to a BOTNET controller.
Hosting Providers: By default, most of your hosting
customers are using your DNS resolvers. Learn how DNSRPZ can help
prevent and contain the threat of your customers getting infected.
Service Providers: Learn how to turn your DNS services into a tool to help protect all your customers from infection.
Mobile Telecoms Operators: Find a new tool that
would prevent miscreant smart phone applications from calling home with
DNS and infecting your customer’s phones.
SCADA and Critical Industrial System Operators: Learn how DNSRPZ is a tool to help protect legacy control systems that need DNS to work.
Where to get information about DNSRPZ?
You can find more information, specifications, code, and
presentations on DNSRPZ. Click on any of the following links to get
Taking Back the DNS by Paul Vixie (ISC Blog)
Taking Back the DNS by Paul Vixie (see comments in the CircleID blog)
"DNSRPZ March 2011 Webinar" by Barry Greene - slides attached as DNSRPZ-2011-03-01-Webinar.pdf
"Response Policy Zones" by Paul Vixie - slides attached as TakingBackTheDNSrpz2.pdf
See also: Building DNS Firewalls with Response Policy Zones (RPZ)
This was presented on 12th Oct, 2011
© 2001-2016 Internet Systems ConsortiumPlease help us to improve the content of our knowledge base by letting us know below how we can improve this article. If you have a technical question or problem on which you'd like help, please don't submit it here as article feedback. For assistance with problems and questions for which you have not been able to find an answer in our Knowledge Base, we recommend searching our community mailing list archives and/or posting your question there (you will need to register there first for your posts to be accepted). The bind-users and the dhcp-users lists particularly have a long-standing and active membership.ISC relies on the financial support of the community to fund the development of its open source software products. If you would like to support future product evolution and maintenance as well having peace of mind knowing that our team of experts are poised to provide you with individual technical assistance whenever you call upon them, then please consider our Professional Subscription Support services - details can be found on our main website.