Farsight Security® Inc.’s Newly-Observed Domains (NOD) feed is available as Response Policy Zones (RPZ) which may be used to implement DNS firewalls.
Farsight Security processes hundreds of thousands of DNS resolutions per second. They maintain a massive database of the observed domain names and any new domain names feed the NOD service. It is common practice for the malicious to register and use new domains for temporary abuse to avoid detection.
A Response Policy Zone contains DNS records that describe simple DNS firewall rules and actions to perform. These are described using standard DNS records.
The Farsight RPZ rules only match again the newly-observed domain name and a DNS wildcard for it (for any record types). The only action defined in the Farsight RPZ is to return a DNS NXDOMAIN to any query for that domain name (or under it) indicating it does not exist. This makes the new domain name not resolve, effectively disabling its use by clients using the DNS resolver using the RPZ feed.
Farsight publishes seven RPZ zones for increasing amounts of time that the newly-observed domain was first identified, The time periods are: 5 minutes, 10 minutes, 30 minutes, 1 hour, 3 hours, 12 hours, and 24 hours. The number of new domains range from a few hundred within the first five minutes and a few hundred thousand in the day long RPZ. These zones are updated every minute to add new entries and to expire old.
The RPZ zones are normal DNS zones. Customers configure their name server as a secondary zone (aka slave) for one or more RPZ feeds. The initial zone transfer uses the DNS AXFR protocol and then later updates may use IXFR (incremental) transfers. Farsight’s name server can send DNS NOTIFY messages to the customer’s name servers when it has RPZ updates for near-real-time updates. This communication is authenticated and secured using DNS TSIG.
The DNS Firewall rules as provided by Farsight Security are stored using DNS records within a DNS zone. The SOA record’s serial number is the timestamp of the last zone file update as represented in Unix Epoch time format (number of seconds since Jan. 1, 1970 00:00:00 UTC).
The RPZ specification is in a work-in-progress Internet Draft (https://tools.ietf.org/html/draft-ietf-dnsop-dns-rpz-00).
While the DNS Response Policy Zones (RPZ) specification has several policy triggers and actions, the Farsight Security RPZ zones only use the QNAME Trigger (including wildcards) and the NXDOMAIN Action.
An example hosted by Farsight Security is:
sebaceoushelp.com IN CNAME . ; first_seen=1533314880 *.sebaceoushelp.com IN CNAME . ; first_seen=1533314880
And the transferred records:
sebaceoushelp.com.24h.rpz.dns-nod.net. 300 IN CNAME . *.sebaceoushelp.com.24h.rpz.dns-nod.net. 300 IN CNAME .
(Note that the comments are not part of the DNS and aren’t transferred along with the zone updates.)
Common deployments using the Farsight-enabled RPZ zones as a DNS firewall include: mail servers to reject incoming emails from NOD senders, spam filters to score and/or reject emails containing links to NOD websites, and for web browsers to stop access to very new websites.
The one-day period should be long enough for various reputation services to analyze the new domain to see if it has legitimate use. With the different time-based RPZ zones, customers may experiment and choose the best feed to match their needs.
Farsight’s NOD offerings also includes DNSBL blacklist feeds as DNS zones files and DNSBL service via normal DNS queries.
Typical use cases of the RPZ feeds are:
The RPZ feeds are only accessible via DNS zone transfers. Access is restricted to customer-provided IP addresses and using TSIG with a pre-assigned HMAC-SHA512 key.
Farsight does not provide a DNS server for continual queries utilizing the RPZ feed. (Farsight does for DNSBL though, based on the same NOD data.)
Customers may provide one or more IP addresses of a DNS server that can handle DNS NOTIFY messages to speed up the transfers. The zone file’s refresh timer is set to ten minutes. If a zone refresh fails, it will retry. every five minutes (until it expires in one day). Depending on the feeds, the DNS NOTIFY messages may happen a few times a minute to prompt the server to attempt to refresh the zone for updates.
This service is data transferred onto a customer’s DNS servers, so there is no additional hardware requirement.
The amount of data in the feed will vary over time.
The IXFR zone transfers may happen a few times a minute, depending on which RPZ feed is enabled. For example, the one-hour or 24-hour feeds may have incremental transfers from 20 records (666 bytes) to 8822 records (189652 bytes). The following is a snapshot of typical zone file sizes:
53K 5m.rpz.dns-nod.net (456 NODs) 110K 10m.rpz.dns-nod.net (931 NODs) 392K 30m.rpz.dns-nod.net (3416 NODs) 823K 1h.rpz.dns-nod.net (7280 NODs) 2.3M 3h.rpz.dns-nod.net (21062 NODs) 16M 12h.rpz.dns-nod.net (151147 NODs) 24M 24h.rpz.dns-nod.net (223710 NODs)
The RPZ technology is commonly used in a caching recursive nameserver. It is supported in ISC’s BIND named, the Knot DNS Resolver, and the PowerDNS Recursor.
The NOD feeds do contain honest or non-malicious domains. Use of the RPZ rules does make them unaccessible by name for the time period of the RPZ feed.
Farsight Security will provide configuration examples for BIND using its native RPZ or for using its FastRPZ. This configuration will include the IP addresses for the Farsight Security name servers to communicate with and the associated private shared secret for accessing the zone(s).
Additionally, Farsight Security provides a proprietary technology called FastRPZ which provides an interface for a custom Unbound (via a patch shipped with Unbound) and special-built BIND (using the DNS Response Policy Service API) to use this FastRPZ an alternative. This FastRPZ provides a simple DNS transfer server to maintain the RPZ feeds and hooks for the resolving name server to trigger and act on the DNS firewall rules.
The RPZ feeds include a testing record which may be used for verifying a working RPZ setup. A DNS query for test.dns-nod.net should result in a NXDOMAIN with a SOA indicating it came from a specific RPZ (with the epoch timestamp in the SOA).
Farsight Security, Inc. is the world’s largest provider of historical and real-time DNS intelligence solutions. We enable security teams to qualify, enrich and correlate all sources of threat data and ultimately save time when it is most critical - during an attack or investigation. Our solutions provide enterprise, government and security industry personnel and platforms with unmatched global visibility, context and response. Farsight Security is headquartered in San Mateo, California, USA. Learn more about how we can empower your threat platform and security team with Farsight Security passive DNS solutions at www.farsightsecurity.com or follow us on Twitter: @FarsightSecInc.