Domain Name Service
Accessing resources across the internet is done through the use of IP addresses. When trying to access your email, Google for searching, or your favorite social media outlet, you are making a connection to their IP address. The Domain Name Service (DNS) converts a name to an IP address, allowing you to easily remember your favorite website. For instance, DNS will convert www.amazon.com to 126.96.36.199. Which one would you like to remember?
Malicious actors rely on DNS too. From malvertising, botnets, ransomware, phishing, or websites laced with viruses, cybercriminals use DNS to lure unsuspected users to their servers. Once that user accesses a server that contains something malicious and inadvertently downloads it, the computer then becomes infected. Large to small organizations spend hundreds, if not thousands of dollars every year to protect themselves against these types of attacks. Response Policy Zones are one way of being able to set up a similar service and can be done for free!
Response Policy Zone
Probably the best unknown feature of BIND is its use of Response Policy Zones (RPZ). RPZ’s allow an administrator to re-write a DNS query and send it back to the user. In the example above, when a user goes to access Amazon, DNS converts a name to a number. Once the web browser knows that number, it then reaches out to the server to access its resources. What if we were to manipulate that number, or make it where Amazon did not exist to our users?
This is where the functionality of RPZ’s come in. By configuring BIND to receive a DNS recursive lookup and manipulate the response back to the user, you can effectively stop users from accessing malicious sites.
Let us look at the recent privacy and security concerns related to Zoom. Due to its popularity and ease of use, the Zoom video conferencing service has now become a front runner. Not only has Zoombombing, where an uninvited user gains access to your video sharing stream, become a headache for the service but so has phishing websites. Recently, URL’s listed as zoompanel.com and zoomdirect.com.au have sprung up. These websites are used to phish a users Zoom credentials. We can use RPZ’s to block company personnel or home users from accessing those websites which mitigates the phishing attack.
How Do RPZ’s Work?
When configured properly, a BIND RPZ zone file will return a different IP address than the one that is published out on the internet. The following will return a valid IP address for zoomdirect.com.au.
nslookup zoomdirect.com.au 188.8.131.52 Server: 184.108.40.206 Address: 220.127.116.11#53 Non-authoritative answer: Name: zoomdirect.com.au Address: 18.104.22.168
The query responded with the true IP address of 22.214.171.124.
What does a RPZ response look like?
nslookup zoomdirect.com.au ns1.svarthal.net Server: ns1.svarthal.net Address: 126.96.36.199#53 ** server can't find zoomdirect.com.au: NXDOMAIN
From the example above, the response has changed from 188.8.131.52 to NXDOMAIN. This means that the response came back with nothing effectively making the phishing server non-existent.