Go here for the entire series of posts.

Let's face it, ransomware is not gong away. It's simply too damn profitable for the criminals and too damn easy for them to perpetrate. When an highly publicized incident happens (last week is Colonial Pipeline) you'll see a whole host of articles in the press (IT and otherwise) list a series of steps that organizations can take to prevent it. Platitudes such as "zero trust", "AI", and other meaningless suggestions make their way out. Rarely do these articles have anything by the way of useful and actionable tools and techniques you can utilize to prevent this type of attack.


For the past 6 months I've been giving presentations on ransomware prevention (trust me, you want to prevent.....recovery is lot harder and will eventually be covered in this series). I have decided as a public service to break out this private presentation to a series of blog posts to give enterprise IT professionals the tools and techniques to help prevent their organization becoming the next Colonial Pipeline. You don't need to be a CISSP to protect your network, Nor do you need to pay a big 5 consultancy firm a lot of money to protect your network. You can do it. Just no one has showed you how. Until now.


I don't yet know how many articles will make up this series (it could be 6, it could be 9) but this is the first. The plan is to cover vulnerability analysis, patching, GPO tricks, email security and backup and recovery. This being the first, it is going to be the easiest one organizations can do to protect themselves, add protection at the DNS layer.


At it's heart DNS filtering is having your DNS forwarders/resolvers use a service that will prevent knowingly malicious DNS entries from resolving thus preventing users and services from locating the malicious site hosting whatever is about to ruin your day.


The most basic implementation of this is to simply have your Active Directory and edge firewall DNS settings (or even your home router) to point to one of the free services that provide this type of protection. At the other end of the spectrum are paid services that will allow filter categories, reporting, and filtering of off-LAN devices. Off-LAN devices is the Achilles heel of the free services.


This is not an exhaustive list of services, so if I've missed a good one add a comment.


The free DNS filtering services


Again, there is no mobile filtering for these services, and you need to be behind a router or AD DNS for these to work. For malicious only, I'd start with Quad9. If you need adult or family friendly filtering, CleanBrowsing will be your jam.


CleanBrowsing, has free services that will also block "adult content" and force safe search. Also does malicious filtering. This is very good for public access wifi's were you need to block adult sites.

Quad9, malicious filtering with a good dose of privacy. Recommended by MS-ISAC.

OpenDNS, bought by Cisco and now part of Cisco Umbrella but the free servers have remained online. This service will filter out malicious sites.

The paid DNS filtering services


Paid services will add a whole lot of features and usually the ability to also filter off-LAN devices such as laptops (essential in these COVID WFH times). There are fully fledged filters that will allow for reporting and customization, some also offer on-prem proxies. In some circumstances these can even replace your on-prem web filters but I'm not sure I would recommend that wholeheartedly as most "appliance" web filters can also do ATP on attachment downloading, etc, and DNS filtering only works when the malware has a URL for the command and control infrastructure it's communicating with. If it's communicating directly to an IP address, well you are out of luck.


Webtitan, by far the best value I've come across. Not the best reporting web interface, but the price will make up for that.

DNSFilter, very nice interface.

CleanBrowsing, the paid version of their free offering. No mobile client which is a shame.

Cisco Umberalla. It's Cisco, so expect it to be more expensive than the competition. Usually part of the larger system you will implement. Getting a price is not fun either. Essentially the paid version of OpenDNS.

Conclusion


Adding even the free filters as your upstream DNS resolvers will give you layer of protection you may never have had or even considered. This is important as enterprise IT security is like the skin of an onion. Layered and deep.


If you need to DNS filter mobile devices such as laptops then you will need to look at paid as setting a laptop forwarder to a free service will play havoc when they return to the office and cannot resolve local LAN DNS addresses.
Darren Duke   |   May 16 2021 11:50:14 AM   |    security  ransomware    |  
  |   Next Document   |   Previous Document

Discussion for this entry is now closed.

Comments (5)

Gravatar Image
1 - Eric Mack       05/17/2021 4:35:40 PM

Hi Darren, What are your thoughts on in-house solutions like Pi-hole for DNS Filtering? I realize these were intended for blocking marketing, but would their blacklists also serve some of the purpose of OpenDNS? Or, if we pointed PiHole to and OpenDNS site?

Gravatar Image
2 - Darren Duke       05/18/2021 4:51:12 AM

You are correct Eric, Pi-hole is a bit of a different use case. But yes, your suggestion to have your Pi-hole DNS resolve upstream to OpenDNS (or quad9) would work. You get the best of both worlds that way.

Gravatar Image
3 - Eric Mack       05/18/2021 12:01:30 PM

I also see many recommendations to use Unbound for DNS with Pi-Hole so that queries go direct and not through any provider. In light of your article on DNS filtering, can you help me understand where a solution like Unbound fits in, if at all? Thanks, all the best.

Gravatar Image
4 - Darren Duke       05/19/2021 1:39:23 AM

Unbound (AFAIK) is simply a DNS resolver. Albeit with with a healthy does of privacy and the latest bells and whistles (DNS over HTTPS, etc). But it is only a resolver, like the resolvers your ISP or Google or ClouldFlare have. There is no filtering at all for malicious sites using any of these. And there is the key difference. CloudFlare (1.1.1.1) may tout itself as the fastest DNS resolver, but it would still happily resolve any DNS request, ransomware command and control servers, or otherwise.

Gravatar Image
5 - Eric Mack       05/19/2021 11:22:07 AM

Thanks, Darren, for your thoughtful explanation (and blog post). Makes sense to me now. Much appreciated!