 Shrestha IT, a company based in Belgam where we build and secure networks. I am also a network engineer, family with a varied wide of interest in unique systems as well as networking and security. So as with any network, few of the challenges with respect to networks of micro small medium enterprises in tier 2 and tier 3 cities are some of the challenges which I have given here. One is you have these elements of fishing links which are greatly circulated in the network. Then you have malware which is basically ransomware. Apart from that threat vectors which are primarily used for transferring of fines which can again propagate stuff in the network. So it is pretty similar to what you have in any other network but this is kind of compounded by another element which is primarily is there in the tier 2, tier 3 networks of MSMEs is primarily a concept called as a flat network. So what is basically a flat network? A flat network is a network where the communication between nodes or clients or computers is not segmented. So each computer can speak to one another without any kind of limitations for that matter and that also has its own share of problems. One of the reasons why also this kind of a topology is chosen is because of there is a low cost barrier to it. Anyone can set up a flat network without having to put expensive hardware or having any kind of technical know how in order to put it. So here is a simple example of a flat network. As you can see the computers or the servers which are there or all part of the network can communicate with one another without any kind of restrictions to it. So what this also does is primarily kind of apart from the good traffic it also gives an ecosystem for the bad traffic as well with respect to property. Examples of a flat network typically you are running a network at home, you have wireless you are running a flat network for that matter. A SOHO office, 100 plus networks which we serve in tier 2, tier 3 cities. Now you mix this with ignorance with respect to security hygiene where if I have to give a few examples user would have an antivirus installed on the system but the antivirus is either not updated or the license has expired. Another example which you can point out is pendrives which get connected to the systems basically the antivirus would pop up and the user would instead of having the scan complete user would click on cancel. So thereby you know primarily to save time but actually having a consequence of malware or bad data coming into the system of the network. Another thing which we have found very commonly is everybody is logged in as an administrative user. So there is no privileges per se with respect to restrictions on the system level and lastly is basically the lack of IT processes. So here is an example of a phishing email which one of the customers we have received and I have primarily removed the stuff with respect to the email details. So if you had clicked on any one of those links in that email this is what you would have seen which is nothing but a phishing email and not something by Microsoft for that matter. Before I actually go into the solution side of things I will probably give a just a small primer with respect to DNS. Before I do that how many people have worked or have an experience with respect to configuring a DNS server? How many people know how DNS works? That's probably a fair bit. So I will just skip through this slide. So what you have is basically a computer at the very left of the slide which is basically where a user is accessing a let's say a web resource or a website on the computer it could be a mobile device and the request is for an IP address that is a resolution from the name to an IP and this is something which is done by something called as a recursive DNS resolver. Generically this is the job of an ISP the ISP so when you connect to an internet connection the ISP gives you a DNS server IP which is what does the recursion with respect to getting an IP with respect to the resource. But it's a lost start these days and I'll come to that where ISPs have actually outsourced this to various cloud providers. You have Google 8.8.8.8.8 you have Cloudflare 1.1.1.1.1 and you also have the Quad 9 which is 9.9.9.9.9. So these are basically what gets used by everyone primarily for the for the policy of security as well as you know the resolution is also fast. So my focus is primarily on the recursive DNS aspect so I'm not going to go into the details with respect to the authoritative DNS or the root DNS for that matter. So the security element which probably I am proposing is on the recursive side of things. Also another option with respect to people who are running their own recursive DNS servers would ideally be using something like open source software which is bind or unbound or power DNS which at this point I'll probably get back to a little while later. So how does a DNS firewall help? So if you look at from a threat intelligence perspective or even if you look at from a security perspective everything begins with a DNS query. So it be it good traffic or be it bad traffic everything starts with a DNS query. So having a kind of a mechanism with which you can filter bad DNS traffic right without even it going in other layers adds a lot of value from the network security hygiene perspective. So primarily it sets a differentiated route there is a firewall which actually gave that pop up as well. So there is a set of differentiated route for the DNS queries. Most importantly for the MSME networks that we have primarily deployed this it's it's cheap defense right without having to invest in a full-fledged firewall or without having the capabilities of having the budget for a something like a PF sense for that matter. This adds a lot of value because this is typically just goes on something like a Raspberry Pi right. So low cost barrier with respect to the economic side of things and pretty simple to implement once you get it right. Having said that I'd like to highlight it on multiple times that security is primarily a you know multi-tied approach. So I'm in no way I'm suggesting that just putting this thing in your network is going to secure it. So this is one of the key elements that can actually go in your network defense for that matter. So what you have is basically a vendor neutral distributed format or it's actually not a protocol yet it's hopefully it should be there is a there is a draft that is published on the IPF website since I've been for the last four to five years but this is one of the underrated topics on the DNS side of things which one can leverage. So what it does is it allows you just like any other firewall it allows you to set policies based on who is asking the question or where that question is going to right. To add to this you can integrate something called as threat intelligence feeds so and then it becomes a full blown firewall and there are a lot of providers available which are open source as well as proprietary which can plug in into your DNS firewall giving you a greater leverage and for that matter the three primary DNS software which is available as an open source option one is bind. So bind version 9.10 greater onwards basically supports this power DNS also has this unbound just I think a few days back there is a patch that has gone into the main source code where response policy zones is basically going to be available unbound as well. So just like any firewall for that matter the working of a DNS firewall is very similar there is basically something called as a condition is met and then you have a action for it. So you have a trigger and then an action gets called. So I'll probably give a demo of a couple of examples as well. So the first one let's say for example Q name that stands for query name. So if the query name is this specific DNS record then you can have an action where you can say that okay I want to drop it or I can I want to give a response back to the client machine saying that this is a non-existing domain so the NX domain stands for non-existing domain. Before I actually give you a demo let me go through a sample DNS zone file so that you understand the integrities of how this gets integrated. Instead of going through the whole thing I'll probably just concentrate on the last three lines of the image. So what you have there is basically these are called as resource records. So in this case what I'm what we are saying is webmail.instaping.in is pointing to the IP address 106.201.125.7. The second one is again a resource called as www.instaping.in which is pointing to IP address 122.25.222.25.22 right. That's how basically DNS works right. Now here is an example of a DNS response policy zone file. So in the case of response policy zone file again it is a zone file the structure is a little bit different. So here you can see that there are a list of DNS records. Now here these DNS records I am not authoritative to it right. It is just my recursive DNS server which I am I'm going to give these records in the recursive DNS server and I'm going to say CNAME dot. Dot means NX domain right. So what I'm trying to say is it's like null root it's like dev null. So if I want to send it to something like a recycle bin let's say a DNS query this is what it would entail. So in any kind of open source DNS software you would have to include this zone file and entail the software saying that here is a zone file and here are the resource records inside it and I want you to primarily respond to it right. Instead of going upper in the chain to find out what is the actual IP address of that record I want you to find get it locally and given NX domain answer in this case right. And then you include basically saying that this is a response policy zone. What I'll do is I'll probably show you a small demo of this right. So I'll probably pause it every now and then. So what I'm doing is basically I'm saying big yes I will try to do that. Does that help? Let me run through it so that you get an idea about it. So basically I have opened a terminal here and I'm typing a command which is big. So big is basically available on Unix and Linux systems which basically allows you to query a DNS record. So I'm saying dig at the rate 127.0.0.1 which is local host which is my self system that is the same system itself for the resource record which is Google.com right. And what I see now here as an output is basically the answer where Google IP address of Google is 216, 58.197.46 right. So I got the answer where the recursive DNS resolver actually went up the chain found out what is the IP address of Google.com and gave it back to me. Any questions here? So now what I'm doing is basically I have this response policy zone right. So in one of the response policies zone the zone file which I have generated the format which I showed you I think couple of slides back. I am searching for a string called as PayPal right. So I've run a what you call a command line argument where it says which it says that grep PayPal in this specific zone file just to actually demo you what will happen if I request a resource which is a phishing link. Yes zone file is on my machine. So I'm running this recursive DNS resolver on my machine itself. Actually this is a video so I'm not doing it right now but this is something which I recorded where I put the recursive DNS server on my machine. So you could actually do this if you don't want to do this for your network you could also do it only for your system itself. So it need not be that the requirement is that you have to only do this for if you have a network. So now what I'm doing is I'm saying dig accurate local host and the resource record is one of the phishing links one of the DNS domain names which is nothing but a phishing link right. It is PayPal dash account dot o g s p y dot net. The word PayPal itself basically can fool a lot of people who are not in the from the technical side of things where they would look at PayPal and they would say okay this is PayPal let me log in right. So now what this does is because the recursive DNS resolver which I have has a record for this specific DNS and I've said respond back with nx domain. When you ask that question it doesn't give you an answer it gives you nx domain so it doesn't give an IP even though on the internet this record might be resolved. So the next thing what I do is I actually run this against the Google's Quad 8 recursive DNS resolver and you will see that it actually responds which means that people who would access that link right you will see that it has given those IPs right. So the query that I gave here was dig at the rate 8 dot 8 dot 8 dot 8 that same domain name which is a phishing domain and you're getting a response there which means that anyone who is using Google DNS for that matter at this point of time accesses that link and is probably not aware that this is a phishing link right. So to populate with respect to what you might already have with respect to a DNS response policy zones what we primarily did was we looked into the reputation feeds. So there are a lot of reputation feeds URL houses one spam house is another power site security or you can also create your own feeds there are a lot of repetition providers which are primarily having this data in an open source format where you can actually do a pull every every now and then and it's basically just a URL which you download and then put populate this records inside a zone file and your network will now not resolve those DNS requests. So some of the lessons what we after doing this for 100 plus networks is one of the things which we realized was a lot of false positives going in it the data the zone files that you populate needs to be in a pristine manner with respect to not having to you know having put something which is legitimate domain name for that matter or a DNS record. Monitoring and analysis is primarily at the log file level so you are typically tailing the log file to see what kind of request is getting blocked for that matter. You can also integrate something like an ELK stack which can give you pretty graphs and you know charts for that matter. So if there is one takeaway that I'd like to point out people here is even if you are running a network or not or even if you would be interested in doing something like this for your home network is primarily run a recursive DNS resolver even on your laptops with response policy zones and that adds a lot of value with respect to stopping malware or or phishing link or anything for that matter at the DNS level itself. So you could do that by having a simple so if you're running Linux or Unix you just put bind or open your power DNS or unbound you could also use something like a pi hole. So pi hole is a project which is on technically but if I have to even before I go there pi hole is not response policy zones. Pi hole is basically going to block it for everyone in the network it is not going to be selective there are no policies there it is a blanket ban for everyone but that is something that you can explore and this is what the pi hole project looks like you basically just take a raspberry pi and put the pi hole software and it is nothing but DNS mask which runs behind the scenes and it will allow you to block DNS and you will be surprised to know what kind of DNS request your Alexa or your TV is making you know every now and then even when you are not watching it. Future challenges there is this new protocol which exists called as DOH that is DNS over HTTPS and there is a lot of noise with respect to DOH for that matter where there are people who want DOH and there are people who do not want DOH now from my perspective very importantly it is biased because I run a recursive DNS resolver for customers you know 100 plus networks for that matter so definitely I will not want DOH for that matter but as a user DOH as a protocol which is RFC 8484 is extremely important and it is a great step forward the problem lies with the way it is getting implemented by Mozilla right so if you don't know what is happening in that space so if you are running a Mozilla Firefox browser even though you might be having a recursive DNS resolver or you are part of a corporate network which has your internal DNS mapped right it will all stop working probably pretty soon in India as well starting October DOH gets rolled out for all users in the US which means which means that any DNS query that you are making will go to Cloudflare right again I do not have anything against Cloudflare because I have a lot of friends in it but the question becomes on one side you have DOH which says it is privacy and then and on the other side you have centralization which is going to a private company so that is something that is a challenge if you're using response policy zones but my message to you as well as to probably Mozilla is to step away from DOH in the way it is getting implemented probably take a much saner way of doing it the way Google is doing where now there is a way to actually block DOH if you're running an enterprise network where you don't want the all your traffic all your DNS traffic to go to let's say Cloudflare for that matter but it's actually still something which is not yet clear right so there has been a lot of you know couple of malware which is actually has you know started using DOH as a transport mechanism where it is now purely hidden inside the DNS over HTTPS stream right and that's pretty much a challenge for that matter here are the references I the slides are already there on the website for that matter but I think I'll also tweak it out and I would be happy to take any questions or comments so how why it is important to do the blocking as part of DNS itself are there other ways to achieve this right so there are multiple ways to do it I mean the traditional ways to put a full-fledged firewall which will act at the different layers of the network stack for that matter but then the problem that we have seen with respect to let's say for example PF Sense right PF Sense is basically a packet filter coming from the Unix world which you just put it on a simple box and you put it in a network plug it in the network and all your traffic will technically incoming and outgoing ingress ingress is basically that but that requires an investment of a machine right that requires primarily that barrier from an economical standpoint so a lot of businesses that we cater to as I said there is a large scale ignorance with respect to security hygiene so putting a full-fledged firewall there becomes a big barrier but at the same time we want to make sure that the ecosystem is is improving from from that level so this becomes one of the key elements which can actually solve a number of problems right where where the phishing links and and and let's say malware which is there in the network does not get propagated because it gets stopped at the DNS and it's always good to have multi-layered approach right so even in PF Sense you have the same mechanism of running a DNS respond policy I hope that answer it is not it is it it's one of the things that you can do from a from a network person say let's say for example let me put it the other way around you're running a home network I don't think many of you would be interested to run a full-fledged firewall in your home right because of the barrier because you have to you know put a machine there or a box there and and manage it and maintain it right so this becomes a good incentive to have some layer of security apart from other layers which you may probably or you should be invested in can you take the mic what about ip tables ip tables is primarily going to look at the from the ip layer so it is not going to do at the DNS layer so you can pretty much configure a firewall in ip tables for that matter but it is all looking at ingress and outgrace of ip's that is ip addresses in the network coming in and going out and whether connections are established not established or whether you want to block certain kind of protocols going out and stuff like that but it will not do at the DNS layer okay thank you maybe to add to that ip's would would not be so dynamic DNS is intended to be dynamic right if it changes then you're blocking basically an old ip right absolutely in fact to add to that there is another layer that you can actually go into so a lot of these reputation feeds have data which is built on passive DNS right passive DNS is basically let's say there is a there is a domain name and it has an ip x they look at on that x that same x ip address how many other domains are there right and if those are legitimate domains if they are not then they get added to the reputation feed so that's how you can actually have a dynamic layer of blocking at the DNS layer is what my great presentation good insights so just to build on that same question right so every host you have the firewall either ip tables or windows firewall and if you're able to your rules to control traffic on port 53 you you're still controlling the DNS calls that are going out to different entities that your application deals with right or and beyond that what are the DNS firewall or for what advantage does it have a lot of advantages in fact just to point out say for example it is just the traffic which you are controlling which is going out you're not controlling whether let's say abc.com should be blocked right there is no what you call a condition and a trigger and an action which is that okay say for example here are the list of domain names which are malicious and I want in ip tables to block them right one you can do that technically but it is going to be a very intensive affair with respect to whatever machine you would be running so it is not scalable at all to remove a rule from that to remove a domain name from that is going to be a massive job I forgot to add one element to it so say for example I have a network where I've set up a recursive DNS server and I have configured the response policy zones and I have put reputation feeds in it right say for example now I have 100 plus networks where I want this to be implemented I configure this as a master DNS server configure rest of them as slave they'll pull all data from here without me having to do anything at all in the sense that without having to reconfigure the same thing again and again so you're using technically that is not part of response policy zones that is part of the DNS system the ecosystem where you have a master and a slave and you have these zone transfers right I hope that answers I'm going to go back to DOH so I mean we've been reading about this DOH is bad don't do this you know a lot of backlash Mozilla has three questions isn't it actually good that Mozilla is allowing you to do DOH one it's encrypted it's no longer plain text that means if you're on a telco network nobody can monitor your monetize your DNS usage anymore right because in STTPS that's the only way they could have monetized it by accessing what DNS queries do you make that was one second take an example UK or recently it happened in Kazakhstan where they are actually now blocking ISY ISPs right DOH allows you to overcome that because you are no longer going to get blocked by your ISP on some content content is free on the internet point number three you can always disable it in network TRR mode you really don't have to enable it or last point that you made you're an enterprise you can't make a DOH by yourself change the network TRR URI implement your own STTPS DNS resolver that works right excellent questions thanks for bringing these questions while I'll go one by one so one is when you say so from my perspective apart from the noise that is happening on the internet DOH as a protocol is absolutely great right RFC 8484 is fantastic but there existed DOT before DOH so you add DNS over TLS right we should have given you the same thing but for some reason that has been shelled and suddenly the project is DOH that is number one question is not on whether DOH is good or bad that's not what I am debating for I am debating am I fine with all my DNS queries going to cloud that I am not going to your ISP and some other data monetization organization no but there is a different way to probably solve that problem right it may not be necessarily having said that there is also a mechanism now where you can disable DOH at the DNS recursive resolver so they have come out with a canary domain used as application net yeah so if I put it in my response policy zones and say that this is nx domain right DOH gets disabled for every client in the network so this is a new development that has come probably because of the backlash having said that it is there are too many moving parts let's say for example if I want to run my own DOH trusted recursive resolver the TRR right I have to adhere to Firefox policies with respect to a lot of things and there is no clarity on that at this point of time my way of going forward would have been assuming that that is an option exists for enterprise networks having a very valid case with respect to blocking or having internal DNS resource records would have been a greater way of going forward rather than implementing it at a user level and then saying okay we are also going to work on it but not now you are going to ask one more question please okay maybe it's going to go tangential so I'll stop there and probably speak with you later sure when browser steps in to do all these things you know where they are now trying to protect user privacy at DNS level as well doesn't it ring the same bell what OCSPs did for CA certs as well and where you basically what the browsers of the world are trying to say that let us take matter in our own hands and give tools and leverages which actually benefit the user at the end of the day as said this is slightly tangential because now we are talking about a philosophy here with a bit of technology but maybe you could add a comment on that wouldn't that be good still if you look at from that perspective I think any kind of centralization is not good that is how I would look at it as a user not from a business perspective for that matter I'm old school I love the decentralization of things where the way DNS works at this point is great it is scalable I have never seen DNS failing for that matter for all the time that I've used internet because of the distributed nature of DNS right I've never seen it failing at all right so now changing it to making it centralized saying that on one part we want users to be secure and then sending it to a private company who says that we are not going to who has a background with respect to promoting content with respect to fortune for that matter I mean we are talking about a political that's the that's the reason why I'm wearing a T-shirt where it says that there are nine layers so there are two layers which is on the political side as well financial side and then there is a technical side maybe it depends on which layer we are talking about I hope that answers thanks another thing that I would like to add this again a personal opinion cloud fair versus my ISP which is located in my country this is and my ISP is in my country I may have legal avenues to either safeguard my privacy in my own country whereas in cloud fair which is based in US even though we say DOH would offer privacy against my ISP but I don't have legal avenues to really follow up with them I'm not using the word but so cloud fair or any other ISP provider which is in let's say UK or US they may be subject to their own legal law like national security letters wherein they cannot talk about disclosures so again this is my personal opinion so this to add to this so there was I think somebody was talking about I'm sorry I'm forgetting the name of the ISP is about NSA right and stuff like that so now you have made everything centralized right so now there is only one place that anyone has to go to get all the DNS records which anyone is accessing instead of the distributed nature right you guys keep saying this that you know like it's gonna go to cloud fair it is going to cloud no you realize it's default you can change that question is at the let's from a browser level you can change that I agree so here okay let me give you an example no I mean it's like say 8.8.8 is bad I mean change it it's not tough I agree but here is here is a viewpoint which I'll give you let's take the situation with respect to the kind of markets that we are serving on technical so when a pop-up comes on firefuck which says that hey secure pass browsing click okay this is exactly what primarily what free basics movement started out on facebook where we want to you know we want we want we are taking internet to the rural public support this and then a reply went to try without having an understanding of what exactly is internet and what part of internet was getting served so I think now take your perspective there and you think and say do you think users understand what is happening here you and me can change it but do you think the kind of enterprise customers or you know layman people who are using the internet will understand what is happening behind