Policy-based Detection and Blocking System for Abnormal Direct Outbound DNS Queries using RPZ
Autor: | Ichise, Hikaru, Jin, Yong, Iida, Katsuyoshi |
---|---|
Jazyk: | angličtina |
Rok vydání: | 2022 |
Předmět: | |
Popis: | 2022 the 12th International Conference on Computer Science and Engineering, June 24-27, 2022, held as an online event. Bot-infected computers sending direct outbound DNS queries without obtaining the information of authoritative DNS servers from the DNS full resolvers set up in the internal network have become a critical security issue nowadays. In DNS protocol, the domain name resolution process obtains the information of necessary authoritative DNS name servers (NS records) at the beginning and then achieves the answers of the original DNS queries which is accomplished via the DNS full-service resolvers. However, some types of bot programs violate the DNS protocol process and send the direct outbound DNS queries to its Command and Control (C&C) servers (malicious DNS servers) for bot communication. We have investigated the detection and blocking the direct outbound DNS queries by using MySQL at an early stage. However, the network latency was arising as a critical issue. In this advanced research, we propose a policy- based detection and blocking system for abnormal direct outbound DNS queries using DNS Response Policy Zones (DNS RPZ) in order to solve the issues. In this paper, we describe the design of the proposed system and introduce an implemented prototype system. In addition, we also describe the preliminary evaluation results per feature of the proposed system conducted on the prototype, and finally, we introduce the tasks planed for future work. |
Databáze: | OpenAIRE |
Externí odkaz: |