DNS Sinkholing at Scale with Infoblox
by MIchael Katz, Infoblox Professional Security Sales Specialist
DNS sinkholing is a very effective strategy to control access to network resources. Infoblox builds DNS sinkholes, with Infoblox DNS Firewall or Response Poicy Zones (RPZ). According to Infoblox documentation, a DNS RPZ enables you to “ define RPZ rules to block DNS resolution for malicious or unauthorized hostnames, or redirect clients to a walled garden by substituting responses.” In ordinary terms, with DNS Sinkholing (aka DNS Firewall and RPZ), a name query to a known malware site, administratively banned site or a prohibited web category will be blocked before a web connection is established. Here's an excellent paper from SANS for anyone interested in a deeper dive into the use case for DNS Sinkholes.
DNS is well suited to controlling network access. Since DNS operates in real-time and spans every type of operational environment, it’s an ideal tool to implement real-time network access policy. There are many applications for DNS sinkholes such as malware detection and mitigation, web content control, connections to countries that are sanctioned or unnecessary to your business, DDoS mitigation and more. However, the most common DNS sinkholing application Infoblox sees in the market is malware detection and mitigation. Especially in the healthcare and health insurance markets.
DNS is the first line of defense for cyber threat intel since it can block IP addresses, domain names and host names so it’s important to take advantage of DNS capabilities for actioning threat intelligence. Infoblox DNS supports over 40 million Indicators of Compromise (IOC) in real time with no service degradation. Considering that most firewalls can’t handle more than 100,000 IOCs in real time, it makes a lot more sense to use Infoblox DNS for DNS sinkholing than a firewall. Furthermore, firewalls at operate at the network perimeter whereas Infoblox DNS sinkholing applies to intra east-west traffic as well as north (outbound) and south (inbound) traffic. What’s more Infoblox DNS sinkholing can be applied to mobile users and remote branches with limited technology footprints.
DNS sinkholing can be dangerous since a single bad IOC can have a big service impact across the enterprise. That’s why Infoblox creates purpose-built intelligence for DNS that will not block known GOOD sites. Infoblox threat intelligence focuses on garbage domains malware uses for command and control with Domain Generation Algorithms (DGA), known botnets, ransomware, command and control, malware infrastructure and other intel that can be summarized with IP address, host name or domain name. All Infoblox intel is run through correlation and scoring engines to insure against false positives. You can read more about DGA and other threats in this excellent white paper on DNS security threats. Infoblox can work with your private intel or threat intelligence from your favorite intelligence provider or threat intel platform.
DNS sinkholing is included in Bloxone Threat Defense and is often called DNS Firewall in Infoblox documentation. Infoblox is seeing an increased interest in DNS Sinkholing in the healthcare, finance, industrial and utility markets due to recent regulations and security guidelines. So, with all the focus in DNS sinkholing lately, why not do DNS sinkholing with Infoblox DNS, the most scalable and intelligent DNS platform available? Answer in the comments, would love to hear your thoughts.
Special thanks to Infoblox SE Ross Gibson for technical advisory and edits!