Introduction

What is DNS Security (DNS-FW)?

Before explaining the tools, let's review DNS security. DNS security is the detection of unauthorized communication in DNS, which is the very first access to the Internet. (Although there are types that prevent DDoS attacks against DNS servers, this section describes products that act like firewalls for DNS queries from internal clients.) Infoblox DNS security product BloxOne Threat Defense (B1TD) ) has a cloud type and an on-prem type. Each has a blacklist of malicious domains and prevents communication by not allowing name resolution when DNS communication for it comes from the client. In addition, it is possible to block DNS tunneling by behavior detection, and it is possible to prevent information leakage using only DNS.

The following is the cloud version web console screen, where you can graphically check the detection status of threats. (Information that could only be seen in Splunk integration before can now be seen on the web console.)

What is Dossier?

In B1TD, you can use a survey tool called Dossier.

Dossier is a tool that can investigate from information such as URLs, IPs, domains, and file hash values, and their threat levels and whether they are still active (used for C2 servers in the past, but not currently not available), you can view the antivirus scan results of the file. It also shows the history of the domain and IP pairings, and links to any reports or blogs about the domain. WHOIS information and IP geolocation information are also displayed, and information such as related URLs, email addresses, and IP addresses are links, and by clicking on them, you can continue to investigate.

I think it will be a very powerful tool for searching for domains blocked by B1TD, and for requests to investigate emails containing suspicious URLs.

Here is a brief introduction to the research process.

I received an email with a URL like "http://abcdefg.xxx/example/aa12345678/". Let's use Dossier to check if this URL is ok.

Enter the URL in the Dossier's search Box. Then you will see this URL result. As a result, it was diagnosed as a malware site by 10 anti-virus software out of 72 types.

I'm already a bit suspicious at this point, but I'd like to investigate the domain of this URL next. Go to the domain information page from the link at the top of the page.

In the "CATEGORIZATINOS" item, you can see what category this domain falls into. Also, in "Indicator Information", you can check which feed of B1TD it is included in and what the current status is. Most of them are diagnosed as malware download sites, and they are still displayed as active, so you can see that they are extremely dangerous sites.

Also, the WHOIS information shows the email address of the domain registrant, so click on it. If there are other domains registered with this email address, the list can be displayed. It is possible to infer to some extent whether or not some kind of attack is being carried out.

I will explain some of the other items.

"Current DNS" displays the registration information for the current domain. (IP, name server, etc.) In "Timeline", you can check information such as when this domain was registered with WHOIS and when it was recognized as a malware site in chronological order. In "Related URLs" and "Related File Samples", related URLs and files that can be downloaded are displayed, and the results of antivirus scanning are displayed respectively. In addition, in "Reports", URL links of sites such as related blogs are displayed.

Summary

I explained Dossier, a tool for searching information such as B1TD domains and URLs. Dossier also provides an API, so I hope to be able to introduce it sometime. Also, B1TD's cloud service is frequently adding functions, so we would like to update the new functions as well.