Right now, scores of people around the world are registering new Internet domain names. Some of them will use a service to provide a mailbox and website for them, others are registering in bulk, and a select few are registering domain names for nefarious purposes. The bad actors hope that they’ll be able to sneak into your network, often with stolen credit card numbers and false WHOIS data, and deliver or serve spam or malware before reputation services and DNSBLs catch up with them.
Here at Farsight Security, we’ve found that refusing traffic from new domains for a brief time is a very effective tool for protecting your network. The vast majority of good guys with reputable domains have no need to deliver email or serve web pages immediately after purchasing a domain name. Bad actors rely on the first few minutes after purchase, before their credit card is declined or their WHOIS data is flagged as bogus. Farsight has consistently found that when a network blocks the newest of the new for a short time, nothing of value is lost but instead much is gained in the way of security.
To that end, Farsight provides a service called Newly Observed Domains (NOD). When we say a domain is “new”, we mean that Farsight’s vast passive DNS sensor network hasn’t seen the domain in DNS since June 2010 nor has it been previously seen in a zone file we obtained via the ZFA programs. Our feed of constantly updating sensors lets us find new domains, usually within a minute of their first appearance in the global DNS. Compare this to zone files, which are usually downloaded every 24 hours.
We have distributed NOD to organizations via The RBL DNS Daemon (rbldnsd) and as part of our Security Information Exchange (SIE) on channel 212. Now we are offering NOD as a Response Policy Zone (RPZ). RPZ is used in your recursive resolver and is best described as a DNS Firewall. Servers able to support RPZ include BIND 9, BlueCat DNS, and InfoBlox DNS Firewall. The big advantage of RPZ over rbldnsd is that RPZ allows a name server to act as a DNS firewall for incoming traffic and make decisions based on hostname, domain, IP address, or nameserver. RPZ generally makes it easy to block access to your network given whatever criteria you wish. With NOD RPZ in particular, you can automatically block newly observed domain names from being accessed for a period of time that you determine, based on length of time from first observation. Farsight offers pre-configured thresholds from five minutes to 24 hours. We do not recommend blocking new domains longer than 24 hours, since this can interfere with or prevent legitimate traffic, and 24 hours is plenty of time for other services such as DNSBLs and reputation services to catch any bad behavior.
If NOD RPZ sounds like a fit for your organization or you would like more information, please contact Farsight Security Sales at firstname.lastname@example.org or +1-650-489-7919.
Kelly Molloy is a Senior Program Manager for Farsight Security, Inc.