DNS Endpoint (Windows) – Heimdal Assistance and Support

In this article, you will learn everything you need to know about the DNS Security - Endpoint module. DNS Security - Endpoint is based on the DarkLayer Guard engine, the world’s most advanced endpoint DNS threat hunting tool, and boasts our Threat to Process Correlation technology, allowing you to spot processes, users, URLs, and attacker origins used to infiltrate your network. DNS Security - Endpoint makes the DarkLayer Guard - Endpoint work in tandem with our VectorN Detection AI-based traffic pattern recognition engine to also give you HIPS/HIDS and IOA/IOC capabilities and spot hidden malware, completely autonomous of code and signatures.

1. Description
2. How does DNS Security - Endpoint work?
3. HEIMDAL Agent - DarkLayer Guard
4. DNS Security - Endpoint view
5. DNS Security - Endpoint settings

DESCRIPTION

DNS Security - Endpoint is responsible for filtering all network packets based on the DNS request origin and destination. It replaces the manual or DHCP-set DNS values with IP Addresses from the Client Host IP Address range, thus effectively telling the computers to resolve the DNS requests themselves. The original DNS values from the network card settings are not lost but are saved under GUIDs in the Windows Registry and used when DNS requests are made towards internal resources (print servers, local file servers, or anything that has a private IP Address assigned) or external resources. The traffic filtering engine blocks malicious packages from communicating across the network, prevents man-in-the-browser attacks, detects zero-hour exploits, protects from data or financial exfiltration, prevents data loss or network infections, and detects local DNS hijacking/poisoning.
DNS Security - Endpoint blocks malicious websites by making sure that users do not establish untrusted connections. If a connection is made, an attacker is able to open backdoors into a PC by using zero-day exploits or by executing remote shellcodes. The module also makes sure that data is not automatically filled into online forms belonging to fraudulent websites.

An example of how DNS Security - Endpoint protects users from financially exploiting malware (banking trojans) can be seen below:

The DarkLayer Guard - Endpoint filter receives more than 800.000 new weekly updates to keep up with cybercriminals’ threats. A filter update is provided every 2 hours. The update is based on a wide range of data, such as newly registered domain names, reverse engineering of advanced malware, monitoring of criminal network sinkholes, and data gathered during e-crime analysis. This insight into cybercrime enables Heimdal to block data from a PC or network from being sent to a hacker-controlled server, therefore protecting corporate or personal data from exfiltration.
Heimdal does not share a full repository of the DNS detections due to the tremendous data volume of the AI Predictive DNS; hence, VirusTotal will not necessarily show the Heimdal detection. You will have to rely on the Investigate mode in the Heimdal Dashboard.

HOW DOES DNS SECURITY - ENDPOINT WORK?

On Windows, when DNS Security - Endpoint is enabled, DarkLayer Guard - Endpoint engine creates a local DNS Server that will work as a filtering engine before resolving the DNS Query performed by the user. The DarkLayer Guard DNS Server hijacks the DNS IP Address on the active Network Adapter(s) to scan for malicious websites and other web locations (servers, online ads, etc) that can potentially install malware or be used as gateways for cyber-attacks.
The DarkLayer Guard - Endpoint engine will change the DNS (Domain Name System) IP Addresses on IPv4 and IPv6.

On IPv4, it will change your DNS IP Address from Obtain DNS server addresses automatically (set by a DHCP) or from an already set static DNS IP Address to 127.7.7.x (the DarkLayer Guard DNS IP Address). Your initial DNS IP Address will be backed up in the Windows Registry to be used to solve the DNS Queries after being allowed.
On IPv6, it will change your DNS IP Address from Obtain DNS server addresses automatically (set by a DHCP) or from an already set static DNS IP Address to fe80::xxxx:yyyy:xxxx:zzzz (the DarkLayer Guard DNS IP Address). Your initial DNS IP Address will be backed up in the Windows Registry to be used to solve the DNS Queries after being allowed.

Once the DNS IP Address is set, every web location you access via the Internet will be processed through a database that is set locally in the HEIMDAL Agent installation path. This database is about 15 MB in size, and 95% of the websites blocked are located here.
If the website is identified as being infected, the DarkLayer Guard - Endpoint engine will block it, and you will see this block page (in the browser):

Additionally, if you perform nslookup on a malicious domain, the resolving IP Address will be tpeblockserver.trafficmanager.net / 20.86.55.232 (our HEIMDAL Security block page):
If the website is not blocked after being processed through the local database, it will pass, but there is a second step. The website will be parsed through another database, in the cloud (about 6GB in size), where it will be checked again. If it’s found to be malicious, DarkLayer Guard - Endpoint will block it. If it’s safe, you’ll just be able to access the website normally.

IMPORTANT

All this filtering process takes place in milliseconds and will not affect your internet connection speed.

HEIMDAL Agent - DarkLayer Guard

The HEIMDAL Agent displays information about the Prevented Attacks, the Targeted Processes, and the VectorN Detections.

When enabled, whenever a malicious domain is queried, a pop-up window will be shown to the user. Engaging the Click for the full details will redirect the user to the HEIMDAL Agent in the DNS Security -> DarkLayer Guard view.

The information displayed on the HEIMDAL Agent - DNS Security section is reported to the HEIMDAL Dashboard -> DNS Security - Endpoint view.

DNS Security - ENDPOINT view

The DNS Security - Endpoint view displays all the information collected by the HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the DNS queries that are filtered by the HEIMDAL Agent's DarkLayer Guard engine. On the top, you see a statistic regarding the number of Analyzed Traffic Requests, the number of Prevented Attacks, the percentage of Prevented Attacks, and the number of Category Blocks. You can navigate between multiple pre-filtered views to quickly and easily access the information that you need to process to analyze and remediate potential vulnerabilities.

The collected information is placed in the following views: Standard, Category Blocks, Manual Blocklist, Allowlist Request, Full Logging, Investigate, and CASB.

Standard
The details displayed in the Standard view table are the following: Hostname, Username, IP Address, Analyzed Requests, Prevented Attacks, Manual Blocklists and Risk Level. The Standard view is a complete overview of the total analyzed requests, prevented attacks, and manually blocked domains as well as a pre-calculated risk level for your device. All entries are identified by hostname, username, and IP address. The calculated risk score is based on the time frame selected in the HEIMDAL Dashboard and offers a great way to visualize and measure the impact of your awareness training and security procedures that you facilitate in your organization, as you can track the changes in your high-risk users' behavior over time.

The Analyzed Requests represent the total DNS requests intercepted by the HEIMDAL Agent (whether they are blocked or allowed). The Prevent Attacks represent the DNS requests that are blocked by the HEIMDAL Agent, while the Manual Blocklists will display domains blocked based on the entries in the group policies' blocklist.
The information on blocked domains can be arranged and filtered based on the other views available from the dropdown: Threat Type, Domain/Hits(blocks), Hostname/Threats, Latest Threats, Forensics and TTPC.
Category Blocks
This view displays a table with the following details: Hostname, Username, IP Address, and Category Blocked Domains. The Category Blocks view presents a consolidated overview of all hits to the preset Category Filters. This view makes it easy to manage chosen Categories, get a visualization of their impact, and identify users with online behavior that does not match the organization.
Manual Blocklists
This view displays a table with the following details: Hostname, Username, Type, Domain blocked, Process name. The view will show domains blocked by the Agent, based on the entries set in the blocklist from the group policy.
Allowlist Requests
The Pending approval view displays a table with the following details: Hostname, Username, Domain, Reason.
This view shows all access requests to blocked domains awaiting administrator action. Approving the request will allow you to add the domain to the allowlist in both the group policy for the DNS Endpoint module or the Network settings for the DNS Network module.

The History view displays a table with the following details: Hostname, Username, Domain, Reason, Status.
This view will display all processed requests, both approved and denied.
Full Logging
The Hostname view displays a table with the following details: Hostname, Allowed Requests, Prevented Attacks, and Risk Level.

The Domain view displays a table with the following details: Domain and the Total Hits.
Investigate
This view allows you to get DNS-related statistics on any domain you input in the search field. The view is split into 3 subsections:
a. Global Threat Intelligence - displays a top 3 of most accessing processes, the DNS-E matches (the number of times, in the selected timeframe, the domain has been intercepted via DNS-E), the Global DNS-E matches (the number of times, in the selected timeframe, the domain has been intercepted by DNS-E in the Global Heimdal Security database), the domains/URLs related to the same IP Address, the DNS-E + DNS-N matches (the number of times, in the selected timeframe, the domain has been intercepted by DNS-E and DNS-N), the Global DNS-E + DNS-N matches (the number of times, in the selected timeframe, the domain has been intercepted by DNS-E and DNS-N in the Global Heimdal Security database).
b. Predictive DNS Score - displays a maliciousness score based on an Artificial Intelligence algorithm (ranging from 0 to 100) that is corroborated with the presence of the domain (in question) on the DNS Security Endpoint blocklist (blocklist match). The higher the score, the higher the probability that the domain in question is infected. The Predictive DNS Score will showcase a Risk Level (None, Low, Medium, High, Critical) based on the above-mentioned score.
c. DNS Statistics - displays a graphical representation of the daily number of hits for the chosen domain (the blue
the line shows that the queried domain was found clean at the time of the query, while the red line shows that the queried domain was found infected at the time of the query.
d. Requester distribution - displays a map and statistics of the top public IP Addresses that called the domain in question (the origin of the DNS query to the domain in question).
CASB
This view displays a list of the applications discovered by the DarkLayer Guard engine in your environment and the following details: Application Name, Vendor, Installed Endpoints, and Risk Level. CASB can be used as a cloud access security broker (CASB) that provides a comprehensive set of capabilities to help you manage and control the use of cloud apps across your organization - including visibility into inappropriate cloud app usage.

The selection column allows you to select one or multiple applications and add/remove them to/from the Application blocklist.

The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Operating System.

DNS Security - Endpoint settings

By enabling the DarkLayer Guard engine, the HEIMDAL Agent will enable the network filter that will protect the computer from accessing malicious domains or URLs.
DarkLayer Guard - turn ON/OFF the DarkLayer Guard DNS Filtering;

General Settings

Force DHCP DNS usage - this feature sets the DNS on the Network Interface Card(s) to Automatic (DHCP) behind the DarkLayer Guard engine. If the DarkLayer Guard engine fails to add 127.7.7.x or fe80::yyyy:yyyy:xxxx:xxxx on the NIC(s) it will revert to automatic DNS (served by the DHCP). By default, this option is disabled, and DarkLayer Guard should work just fine on any type of computer. It is recommended only if you use a VPN product/service that resets the DNS IP Address (after disconnecting) and sets the DNS to Obtain DNS server address automatically on the NIC.

This option is NOT recommended if:

You use a static DNS IP Address(es) on your NIC;
You are applying it to a Domain Controller/DNS Server.

Use default loopback address - this feature tells the DarkLayer Guard to set the DNS on the Network Interface Card(s) to 127.0.0.1 instead of 127.7.7.x (for IPv4) and ::1 instead of fe80::yyyy:yyyy:xxxx:xxxx (for IPv6). This will enforce the DarkLayer Guard engine to intercept traffic from a single adapter. This setting helps ensure compatibility between the DNS Security Endpoint and certain VPN products, as well as other software you may use, such as virtualization products.
Improve TTPC accuracy - installs and updates the Sysmon Windows addon (if not installed already) to improve the interception of processes that perform malicious DNS requests (if the endpoint is running another application that uses Sysmon, this might cause a conflict for this functionality).

You can find the Sysmon logs in Event Viewer Logs -> Application and Service Logs -> Microsoft -> Windows -> Sysmon -> Operational. The Event ID used for DNS request logging is 22.
When the DarkLayer Guard - Endpoint ending gets the process ID from Sysmon, and it queries the Windows processes, there is a risk that the process was already killed or stopped. If this happens, DarkLayer Guard - Endpoint will not be able to get the process information, so a generic “-” will be displayed in the HEIMDAL Dashboard.
There is a 2-minute wait time when the same domain is accessed, and this will result in displaying only one entry for that specific domain, even if it was accessed several times in that time interval. In the Event Viewer Logs, an entry will show up every time a domain is accessed.

Full logging - get enriched information on the DNS requests made from the endpoints (we will log all the DNS requests made in your environment), and provide data for the CASB view.

Compatibility Settings

DoH Compatibility Mode - this feature will prevent your active browser (Google Chrome or Mozilla Firefox) from employing DNS over HTTPS packages, replacing the more comprehensive DNS traffic filtering provided by HEIMDAL™ DNS Security.
Cisco Anyconnect/Fortinet compatibility mode - this feature will reroute traffic from IPv6 to IPv4 on a Cisco Anyconnect adapter, to solve a known bug in Cisco Anyconnect/Fortinet IPv6 filtering.
Use supported VPN forwarders - makes the DarkLayer Guard engine use the DNS IP Addresses provided/set by the VPN adapter on all the adapters of the endpoint.
Support PPP Adapters - this option will allow DNS-E to detect PPP adapters created by certain VPNs and use them to intercept the traffic. It will enable additional compatibility options in your Heimdal Group Policy as prerequisites.
High Compatibility Mode – this feature sets a 15-ms delay in applying the DarkLayer Guard filter over the Network Interface Card that currently has internet access, in order to allow all relevant Microsoft Windows services to start up normally. The services that are allowed to start up normally are in charge of vital extended environment tasks like domain discovery, network drive authentication, etc.
Pause DarkLayer Guard when Cisco Anyconnect or Fortinet is detected - this feature will pause the DarkLayer Guard engine while the endpoint is connected to Cisco Anyconnect/Fortinet. The DNS filtering automatically re-enables after disconnecting from Cisco Anyconnect/Fortigate.
Force NCSI fix - this feature will fix the Network Connectivity Status Indicator that causes the connected globe in the Tray menu when running alongside DarkLayer Guard. The HEIMDAL Agent sets the value 1 (default is 0) on the following path Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\EnableActive Probing, and adds a Microsoft IP Address in the hosts file (C:\Windows\System32\drivers\etc).
DNS server response validation - the DarkLayer Guard will test the DNS Resolvers and alternate them in case any of them fail (we change the 1st DNS with the 2nd one until the 1st one is up and running again).
Disable DarkLayer Guard for IPv6 - allows you to disable DarkLayer Guard filtering on IPv6 (to solve a conflict between Cisco's AnyConnect mechanism and the DarkLayer Guard). This option is greyed out by default and becomes active when Cisco AnyConnect/Fortinet compatibility mode is enabled.
Check Interval - allows you to set the time interval of the DarkLayer Guard engine to check for new updates to the filtering database.
DNS over HTTPS Server - allows you to specify a DoH domain or an IP Address to be used by the DarkLayer Guard engine as a DNS Server. DNS over HTTPS Server is filtering traffic only when the computer is outside of the organization's network/environment. When a computer is locally connected to the domain or via VPN, the DNS over HTTPS Server will not filter the traffic, but resolve the traffic with the internal DNS IP Address. Usually, DoH Servers use different IP Addresses depending on the location, but the common practice is that DoH Servers can be identified by DNS Name (which is the same).
Domains allowlist – this feature allows the HEIMDAL Dashboard Administrator to allowlist a domain that is blocked by the Heimdal™ DNS Security. You can allowlist domains, subdomains, top-level domains ( com, co.uk, etc.), or even multiple domains at once by uploading a CSV file (when saving an Excel workbook/sheet as a CSV file, the domains/subdomains are automatically delimited by a comma [,] and they need to be listed on the same row; you can download a sample CSV file from here):

Domains blocklist - this feature allows the HEIMDAL Dashboard Administrator to blocklist a domain that Heimdal™ DNS Security - Endpoint does not consider a threat or block access to a specific domain. You can blocklist domains, subdomains, top-level domains (.com, .co.uk, etc.), or even multiple domains at once by uploading a CSV file (when saving an Excel workbook/sheet as a CSV file, the domains/subdomains are automatically delimited by a comma [,] and they need to be listed on the same row; you can download a sample CSV file from here):

Internal Approval flow - allows end users to have the option to submit, from either the Heimdal default block page or the custom one, domain allowlisting requests, while IT Admins will receive and manage these requests directly from the Heimdal Dashboard.

When Enabled: End users will see a "Request Unblock" button on the block page. Clicking this button allows them to submit a request (with an optional justification) that is routed to the internal IT team. These requests are centralized in the Heimdal Dashboard under DNS Security -> Allowlist requests for review, where an Administrator can manually approve or deny them.

When Disabled: The block page will instead display a "Website reanalysis request" button. This action submits the domain directly to Heimdal Customer Support for a global intelligence evaluation to determine if the domain should be reclassified.

Require Allowlist Reason – When this sub-option is enabled, end users are required to provide a justification (up to 100 characters) when submitting an unblock request. This mandatory reasoning is then displayed alongside the request in the Heimdal Dashboard, providing administrators with the necessary context for a more efficient review and approval process.

Application blocklist - allows you to add any application intercepted by CASB. This list gets populated when you add an application from the CASB view. The Application blocklist works in conjunction with the Domain Blocklist. Its rules are not applied if the latter is disabled. Domains Allowlist takes precedence over any blocklist. If a domain or application domain is blocked in the Application blocklist and/or Category list, but is also added to the Domains Allowlist, the domain in question will be allowed, and the end user can access it.
Custom block pages - this feature allows you to set your organization's name, craft a personalized message with simple text (no HTML or CSS tags) to be displayed on the block page, and incorporate your logo that will replace the default Heimdal block page when DNS Security - Endpoint intercepts and blocks access to a malicious domain (or blocklisted domain). The maximum allowed size for the logo is 1 MB (300 x 300 pixels). Exceeding this size will prompt you with an error.
custom block page.png

Install Block Page Certificate – this feature allows DarkLayer Guard to display the Heimdal or Custom block page for HTTPS websites. This will automatically install the required certificate on all machines associated with the respective GP.
Block by Category - this feature allows you to block groups of domains that are included in a category (examples: Social, Sports, Gambling, Finance, Health, Keeping Children Safe in Education, and others):
Category Block.png Block by Category Schedule - this feature is available only when Block by Category is enabled and allows you to schedule specific time intervals when the Block by Category feature applies.