How ThreatSTOP on Microsoft Azure Works
The DNS Firewall
A DNS firewall is a specialized device that can modify the responses given by a name server. While the typical network firewall blocks or allows traffic between networks based on a set of potentially complex and detailed rules, a DNS firewall has one simple, yet powerful decision to make when responding to a DNS query: should I allow this request, or should I intervene and take action?
Why should a DNS response be modified?
There are several scenarios where malicious traffic could traverse a network firewall but be blocked by a DNS firewall:
- A user clicks on a link in an email and visits a phishing site.
- Undetected malware requests and receives commands from a botnet.
- A visit to an infected website launches a series of malicious scripts within a user’s browser.
- Malware within the network attempts to exfiltrate data to an outside network.
Imagine a scenario where a user clicks on a link in a phishing email to visit somethingevil.com. At a high level, the following happens:
- The user’s computer makes a request to its network DNS server for somethingevil.com.
- The DNS server provides a response in the form of an IP address.
- The browser session proceeds and an HTTP connection is made to the IP address reported by the DNS server.
A DNS firewall can block a malicious request by modifying the response of DNS. By providing a “no data” response to , the network disappears ― it goes into stealth mode in a sense ― which protects the network. The modified response can be any of the following:
- The DNS firewall can provide an alternate, safe IP address or CNAME. In the phishing example, the browser could be directed to a web page that alerts them of the danger averted. Known as a “walled garden” response.
- The DNS firewall can reply with an NXDOMAIN, or “non-existent domain” response, as if the domain name requested doesn't exist.
- The DNS firewall can drop the request.
Or, if no threat is found or the policy allows, the DNS response can be returned as normal.
By logging and reporting on the requests denied or modified by a DNS firewall, a network administrator can also be alerted to potential problems within a network.
Block by domain name or IP address
A DNS firewall does more than just block requests for malicious domain names. Let’s say the DNS record for “usuallyagoodwebsite.com” was compromised, and is suddenly resolving to an untrustworthy IP address. A DNS firewall will analyze not only the domain name requested, but the IP address to be returned. If that IP address is malicious, the response will also be intercepted.
The DNS firewall can even block a response based on the address of the authoritative name server. Say an entire name server is known to be poisoned: the DNS firewall can simply block any authoritative response from that name server.
The ThreatSTOP DNS Firewall service uses a feature introduced into BIND name servers called Response Policy Zone (RPZ). Using RPZ, DNS responses become fully customizable.
With ThreatSTOP, specialized RPZ policies can be created and assigned to as many DNS servers as needed. These policies are updated automatically (approximately every two hours) with the latest threats and transferred to your DNS Firewall using standard DNS protocols (and a TSIG key for security validation). RPZ logs from your DNS firewall are also analyzed and used to provide detailed reports on current threats, suspicious activity, and potential vulnerabilities.
Microsoft provides DNS servers for Azure that help to secure your network. ThreatSTOP reinforces your protection by automating the delivery of real-time threat intelligence to your DNS servers for enforcement. By setting up one or more private DNS servers using the ThreatSTOP service, an Azure cloud installation can be protected from known malicious DNS requests, adding a vital layer of protection to Azure's existing security measures. ThreatSTOP recommends using a standard Azure Ubuntu virtual machine running BIND and configured for ThreatSTOP.