Online criminals hate us. We protect you from attacks that antivirus can't block.

SecureDNS/Forseti overview

What is SecureDNS/Forseti?

SecureDNS/Forseti is a blacklisting (filtering) solution for DNS requests using multiple sources. Compatible with any existing Antivirus software, the SecureDNS/Forseti feature is a solution for securing DNS traffic by pre-emptively blocking malicious domains and communications to and from C&C, Phishing, and generally malicious servers.

As of August 17th, 2020, Heimdal™ Security (HEIMDAL™) has completed its DNS neural network program for enriching its SecureDNS/Forseti filtering engine with unparalleled neural AI capabilities. SecureDNS/Forseti provides unparalleled threat prevention capabilities to thousands of enterprises across the globe.

Now, in an unprecedented move, the Machine Learning (ML) engineers at HEIMDAL™ have successfully built and trained a neural network for SecureDNS/Forseti (and for the DarkLayer™ Guard product) that enables the prediction of malicious DNS. Employing an outstanding amount of gradient-boosting decision trees and over 24 DNS features and criteria, the new neural network AI is state-of-the-art.

Afterward, by using the original intelligence and data provided by the rest of the security solutions in HEIMDAL™’s unified E-PDR (Endpoint Prevention Detection and Response) suite, the neural network is able to trace complex patterns of correlation between the DNS linguistical characteristic features from the training corpus. The training of the neural network results in a significantly improved detection rate of potentially malicious domains, as well as a decrease in the number of false positives flagged.

HEIMDAL™ has doubled the rate of correct detections and predicted future domains that are bound to be registered, and unlocked the algorithm’s capacity to detect malicious domains that would have normally escaped detection by the human eye. Combined with the VectorN Detection™ engine’s power, it will be it will virtually be unstoppable against all malicious attack attempts on enterprise security.

In the following chapter, you will see how this service is configured on your DNS Forwarder (server) and how to point to the SecureDNS/Forseti service.


Implementing SecureDNS/Foseti (on Windows Server):

In order to implement SecureDNS/Forseti in your organization, you will need to configure the DNS Server(s) in your organization to use the following Secure DNS IP Address as "DNS Forwarder":

  • 185.113.230.53
  • 185.113.231.53

To set up DNS Forwarding on your DNS Server, you need to follow the steps below:

1. Open the DNS Manager from the Server Manager

a1.jpg

2. Right-click on the DNS Server and select Properties

a2.JPG

3. Select the Forwarders tab and click the Edit button

a3.JPG

4. Insert the CSIS DNS IP Addresses (185.113.230.53 and 185.113.231.53) and hit Enter after each IP Address. After entering both IP Addresses, press OK

1.jpg

The DNS Forwarders should look like this:

2.jpg

After configuring the DNS Forwarders, you can test if SecureDNS/Forseti is working by accessing the website www.blockedbycsis.com. If the text on the site says "The website your-domain.com was blocked by CSIS Secure DNS.", this means that SecureDNS/Forseti is working properly.

Here is a How to change the DNS Forwarder on Windows Server:

 

Implementing SecureDNS/Foseti (on Ubuntu/Debian):

In order to implement SecureDNS/Forseti in your organization, you will need to configure the DNS Server(s) in your organization to use the following Secure DNS IP Addresses as "DNS Forwarders":

  • 185.113.230.53
  • 185.113.231.53

To set up DNS Forwarding on your DNS Server, you need to follow the steps below:

1. Open the interfaces file (/etc/network/interfaces) for editing:

sudo nano /etc/network/interfaces

2. Add the following settings:

auto eth0
iface eth0 inet static
address 192.168.1.2 #an IP at your choice
netmask 255.255.255.0
gateway 192.168.1.1
dns-namservers 185.113.230.53 185.113.231.53

3. Open the resolv.conf file (/etc/resolv.conf) for editing:

sudo nano /etc/resolv.conf

4. Add the following settings:

nameserver 185.113.230.53
nameserver 185.113.231.53
#options edns0

5. Reboot the machine

6. Update the apt package cache by typing:

sudo apt-get update

7. Install BIND on the DNS Server

sudo apt-get install bind9 bind9utils bind9-doc

8. Open the named.conf.options file (/etc/bind/named.conf.options) for editing:

sudo nano /etc/bind/named.conf.options

9. Add the following settings:

options {
directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

forwarders {
185.113.230.53;
185.113.231.53;
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};

10. Restart bind using the following command-line:

sudo systemctl restart bind9

11. In case there's a firewall rule blocking port 53, you can unblock it with the following command-line:

sudo ufw allow 53

12. After configuring BIND, you can test if SecureDNS/Forseti is working by accessing the website www.blockedbycsis.com. If the text on the site says "The website your-domain.com was blocked by CSIS Secure DNS.", this means that SecureDNS/Forseti is working properly.
22.JPGPlease note the fact that it can take up to 60 minutes from changing your DNS Forwarders until you see the correct blocking page. Your protection is, however, in place immediately after changing forwarders.

It is possible to set additional DNS Forwarders, both internal and external, but we do NOT recommend this. Due to the nature of DNS Servers, you risk bypassing SecureDNS/Forseti for a prolonged period of time and thereby removing your SecureDNS/Forseti protection.

What is the Log Agent?

The Log Agent is a 3rd Party Application that listens in on DNS traffic (using WinPcap/Libcap drivers) and sends the requests to the CSIS DNS Servers. It does not do anything actively regarding DNS requests. The Log Agent makes it possible to identify the internal IP Addresses and the Network Names of the clients making the DNS requests, and thereby makes it possible to identify which client-machines in your network might be infected without correlating data with Network-Firewall, and/or DHCP logs. 

The Log Agent must be installed on the DNS Forwarder (server) and logs the IPs and Mac addresses of the client-machines that are making requests.

Installing the Log Agent on Windows Server:

To install the Log Agent follow the steps below (the installation does not require a system reboot): 

1. Download the Log Agent: https://cdn.secdns.dk/logagent/latest 

2. Run the downloaded installer

3. After the installation, the CSIS LogAgent should be running as background service:

2.JPG

Installing the Log Agent on Ubuntu/Debian:

The Log Agent should be installed on the machine that acts like a DNS Server (used by your clients to make DNS requests).

Pre-Requisites: 
In order for the SecureDNS LogAgent to work, you need to install the Libpcap-dev:
Open the Terminal and run the following command-line:

sudo apt-get install libpcap-dev

Installing the Log Agent:
1. Download the Log Agent from the following link: https://dk-csis-logagent.s3-eu-west-1.amazonaws.com/Builds/linux/log-agent-2.1.2.gz
2. Extract the Log Agent: 

gunzip log-agent-2.1.2.gz

3. Run the Log Agent in the Terminal: 

sudo ./log-agent-2.1.2

Requirements:
OS - Any Microsoft supported Windows OS and Linux servers
Network Access – https://api.csis.dk (185.113.228.80) over TLS port 443

Latest version 2.1.2 - Release notes:

  • Addresses an issue causing the installer to fail on selected Windows OS languages;
  • Fixes an issue that caused the service to be unable to restart the kernel driver, had it been shut down;
  • Optimizes event batching to a default of 1MB (~7500 events) or every 1 minute. Will default not buffer more than 20MB (~150000 events) before starting to discard;
  • Implements more resilient error handling and backoff strategies for hosts that have network fallout;
  • Now stops service on too much bandwidth usage or rejections from the API backend;
  • Now targets http://api.secdns.dk for the API;
  • Relaxes service subsystem restart strategy - 1 min sleep after the restart and a max of 3 service restarts within one day.
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.