The Case - Penn - wide open perimeter (no firewall, IDS) - firewalls local to machine rooms - unmanaged machines (researchers, students) - host compromises mostly reported from external sources Implementation - SANS published directions and ISO for DNS Sinkhole using BIND - ISO installation collected too much information Implementation - data sources - malwaredomains.com - Zeus Tracker - SRI (later removed because of Doubleclick FPs) - REN-ISAC SES Implementation - platform - two vintage 2004 Dell 2650s (dual Intel Xeon 2.8 GHz, 8GB, 4GB memory) - Ubuntu 10.04 LTS (supported until 2015) - ISC's BIND software with Dynamically-Loadable Zones handle hundreds of thousands of domains without downtime during nightly refresh - MySQL: holds the domains queried by BIND - Apache: because requests for malicious domains will be handled by DNS server itself Implementation - moving parts Implementation - communication - Terms of Service - Privacy Policy - Documentation (internal) Performance Results - no downtime since pilot began in June 2011 - one network outage, but failover to tertiary was imperceptible - False Positives over 2 years: 3 due to SRI (inclusion of doubleclick) - removed in Oct 2 due to domains tht recently had been cleaned Costs - Out-of-pocket: hardware: 2nd hand $0 software: $0 - Time: build 2 person-weeks (see code & documentation on Github: https://github.com/mrmuth/SafeDNS/) maintenance 30 min/month Lessons Learned - branding: support folks wince when you say "sinkhole" better brand: SafeDNS Lessons Learned - not a replacement for standard campus DNS - a value-add heavy lifting still done by standard DNS SafeDNS benefits from huge campus name cache, robustness improve uptime further: configure clients to use campus DNS as tertiary server servers don't use SafeDNS: could result in, for example, server queues of undeliverable messages b/c SafeDNS server doesn't do SMTP Lessons Learned - privacy - log as little as possible - IP and time of DNS request (iptables, not BIND) - Don't log domain name requested - Time and name of malicious domain request, not client IP (apache) - Log referer, but aggregated by day Lessons Learned - protocol - What about DNSSEC? - broken only for malicious domains - TTL: pilot servers aren't slaved to authoritative DNS servers, so TTL matters (unexpectedly, to admins) Melissa Muth University of Pennsylvania muthm@isc.upenn.edu