Protection Against Malware, Ransomware, C2s, DGAs, Phishing
Stop Threats at the Root
RPZ (Response Policy Zone) DNS was developed by the ISC as an open and vendor-neutral component of the BIND Domain Name Server. RPZ functions as a DNS firewall in which rules are expressed in specially constructed zone files. This segmented structure provides an effective method of leveraging threat data for the detection and prevention of malware and ransomware activities at the DNS level.
With this tool, administrators can override the global DNS and create rules that initiate specified responses and actions, such as providing alternate replies to queries. When a workstation, server or other network device tries to connect to a malicious location, it is unable to resolve DNS and is redirected to a specially crafted web page that explains why access was blocked. A DNS RPZ firewall not only protects assets, it also provides an opportunity to educate users so they can be made aware of the link, email or resource – in real-time – that was leading them to malware.
Flexibility is Key for DNS-Level Security
Restricting access at the DNS level is not without complications, however. While C2s, DGAs, and phishing sites tend to be “no brainers” as far as blocking access is concerned, many legitimate and very popular sites unknowingly host malware: Dropbox, Google Docs, etc. Preventing users from reaching these sites can, understandably, be met with great resistance. For this reason, granularity is key to helping administrators maximize threat coverage while minimizing the impact to their users’ crucial online sites, tools, and applications.
A Zone for Each Threat Type
To provide flexibility to our customers for managing the needs of their users or clients, we offer five separate Response Policy Zones. Each zone can be implemented – or not – depending on your needs. These zones include domains hosting (1) C2s, (2) DGAs (used by over 40 malware and ransomware families), (3) Malware, (4) Cryptominers, and (5) Phishing sites.
Apart from applying only the zones that relate to the threats faced by your business, Malware Patrol allows for whitelisting domains from all zones via a simple web interface.
Another tool available is the filtering of domains using the Cisco Umbrella domain ranking. Zones can be filtered based on the top 25,000 1000,000 or 1,000,000 domains as per your request. The Cisco Umbrella classification is updated weekly and applied seamlessly with the whitelisting mechanism.
Custom “Walled Garden”
You can use our “walled garden” to send your users when they hit a malicious domain, or configure your own using the instructions available here.
Response Policy Zones:
- Command & Control Servers
Zones are automatically transferred using AXFR/IXFR mechanisms
Cisco Umbrella Domain Ranking filtered zones
Apply whitelists to zones, even on top of Cisco Umbrella filtered ones
Set up a DNS Firewall in 5 Easy Steps
Watch our webinar for step-by-step instructions on setting up and enabling a DNS Firewall.