A DNS Greywall uses observation data and reputation intelligence to determine immediate access to domains and host names. Greywalls are designed and tuned to mitigate real-time cyber-attacks where end-users and endpoints attempt to connect to phishing sites, ransomware downloads, malware commands, and control. Greywalls reduce risk by limiting unwitting end-users from temporarily interacting with domains, host names, and URLs with zero histories, reputation, or generated by an algorithm.
How Does the Securd DNS Greywall Work?
A DNS Greywall is a host name and domain defense in a DNS Firewall system. The grey wall knows what hosts and domains are acceptable to connect. The grey wall must also be aware of new and untrusted host names that should not be connected. The security administrator determines the temporary block time of a connection to a grey walled host name or domain. A temporary block can be as short or as long as the security administrator establishes in a security policy. In most cases, the block is established for a range of 1 hour to 90 days. This temporary block provides security tools, providers, and the information security community to discover, assess, and distribute protection or intelligence to mitigate a cyber threat.
End-user Clicks on Phishing Link
A threat actor registers a domain and within 15 mins, launches a phishing campaign. An unwitting target end-user is tricked on clicking on a phishing link. The end-user attempts to visit https://some-evil-phishing-site.example.com/phishing-attack/login.html
Endpoint Initiates A DNS Lookup
The end-user’s system attempts to access the domain some-evil-phishing-site.example.com. For the endpoint to connect to the domain, it needs to get an A record with an IP address.
The DNS Firewall Controls Order of Operations
Before the grey wall feature in a DNS firewall allows the DNS server to resolve the DNS query, it runs relevant checks to allow or deny it. For example, it would determine if the DNS query to some-evil-phishing-site.example.com has been observed before. It would decide if some-evil-phishing-site.example.com was dormant for some time, or just registered. If the DNS query matches any block criteria, it will be denied. The user would be redirected to a block page with the reason why it was denied. All the blocked traffic would be logged for a security administrator to review.
DNS Firewall Releases The Greywalled Asset
Once the grey wall criteria for phishing-site.example.com expires, the grey wall will allow a DNS query to continue. With Securd, this would lead to additional measures to assure that phishing-site.example.com is not an active threat. If the DNS query does not match criteria in the security policy, Securd global recursive DNS servers will continue to process and resolve the request. The accept is recorded in passive DNS logs available for review and analysis in the Securd Portal.