Heimdal™ Threat Prevention - Network is a blacklisting (filtering) solution for DNS requests using multiple sources. Compatible with any existing Antivirus software, the Heimdal™ Threat Prevention - Network feature is a solution for securing DNS traffic by pre-emptively blocking malicious domains and communications to and from C&C, Phishing, and generally malicious servers.
As of August 17th, 2020, Heimdal™ Security (HEIMDAL™) has completed its DNS neural network program for enriching its Heimdal™ Threat Prevention - Network filtering engine with unparalleled neural AI capabilities. Heimdal™ Threat Prevention - Network provides unparalleled threat prevention capabilities to thousands of enterprises across the globe.
Now, in an unprecedented move, the Machine Learning (ML) engineers at HEIMDAL™ have successfully built and trained a neural network for Heimdal™ Threat Prevention - Network (and for the DarkLayer™ Guard product) that enables the prediction of malicious DNS. Employing an outstanding amount of gradient-boosting decision trees and over 24 DNS features and criteria, the new neural network AI is state-of-the-art.
Afterward, by using the original intelligence and data provided by the rest of the security solutions in HEIMDAL™’s unified E-PDR (Endpoint Prevention Detection and Response) suite, the neural network is able to trace complex patterns of correlation between the DNS linguistical characteristic features from the training corpus. The training of the neural network results in a significantly improved detection rate of potentially malicious domains, as well as a decrease in the number of false positives flagged.
HEIMDAL™ has doubled the rate of correct detections and predicted future domains that are bound to be registered, and unlocked the algorithm’s capacity to detect malicious domains that would have normally escaped detection by the human eye. Combined with the VectorN Detection™ engine’s power, it will be it will virtually be unstoppable against all malicious attack attempts on enterprise security.
In the following chapter, you will see how this service is configured on your DNS Forwarder (server) and how to point to the Heimdal™ Threat Prevention - Network service.
Implementing Heimdal™ Threat Prevention - Network (on Windows Server):
In order to implement Heimdal™ Threat Prevention - Network in your organization, you will need to configure the DNS Server(s) in your organization to use the following IP Addresses as "DNS Forwarder":
- 193.243.129.53
- 76.223.127.10
- 185.113.230.53 (former SecureDNS Resolvers)
- 185.113.231.53 (former SecureDNS Resolvers)
To set up DNS Forwarding on your DNS Server, you need to follow the steps below:
1. Open the DNS Manager from the Server Manager
2. Right-click on the DNS Server and select Properties
3. Select the Forwarders tab and click the Edit button
4. Insert the CSIS DNS IP Addresses (193.243.129.53 and 76.223.127.10) and hit Enter after each IP Address. After entering both IP Addresses, press OK
The DNS Forwarders should look like this:
After configuring the DNS Forwarders, you can test if Heimdal™ Threat Prevention - Network is working by accessing the website www.notblockedbyheimdalsecurity.com. If the text on the site says "Heimdal Security has blocked this page.", this means that Heimdal™ Threat Prevention - Network is working properly.
Here is a How to change the DNS Forwarder on Windows Server:
Implementing Heimdal™ Threat Prevention - Network(on Ubuntu/Debian):
In order to implement Heimdal™ Threat Prevention - Network in your organization, you will need to configure the DNS Server(s) in your organization to use the following Secure DNS IP Addresses as "DNS Forwarders":
- 193.243.129.53
- 76.223.127.10
- 185.113.230.53 (former SecureDNS Resolvers)
- 185.113.231.53 (former SecureDNS Resolvers)
To set up DNS Forwarding on your DNS Server, you need to follow the steps below:
1. Open the interfaces file (/etc/network/interfaces) for editing:
sudo nano /etc/network/interfaces
2. Add the following settings:
auto eth0
iface eth0 inet static
address 192.168.1.2 #an IP at your choice
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 185.113.230.53 185.113.231.53
3. Open the resolv.conf file (/etc/resolv.conf) for editing:
sudo nano /etc/resolv.conf
4. Add the following settings:
nameserver 193.243.129.53
nameserver 76.223.127.10
#options edns0
5. Reboot the machine
6. Update the apt package cache by typing:
sudo apt-get update
7. Install BIND on the DNS Server
sudo apt-get install bind9 bind9utils bind9-doc
8. Open the named.conf.options file (/etc/bind/named.conf.options) for editing:
sudo nano /etc/bind/named.conf.options
9. Add the following settings:
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
193.243.129.53;
76.223.127.10;
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
10. Restart bind using the following command-line:
sudo systemctl restart bind9
11. In case there's a firewall rule blocking port 53, you can unblock it with the following command-line:
sudo ufw allow 53
12. After configuring BIND, you can test if Heimdal™ Threat Prevention - Network is working by accessing the website www.notblockedbyheimdalsecurity.com. If the text on the site says "Heimdal Security has blocked this page.", this means that Heimdal™ Threat Prevention - Network is working properly.
Please note the fact that it can take 30 to 60 minutes from changing your DNS Forwarders until you see the correct blocking page. Your protection is, however, in place immediately after changing forwarders.
It is possible to set additional DNS Forwarders, both internal and external, but we do NOT recommend this. Due to the nature of DNS Servers, you risk bypassing Heimdal™ Threat Prevention - Network for a prolonged period of time and thereby removing your Heimdal™ Threat Prevention - Network protection.
Heimdal™ Threat Prevention - Network settings
In order to setup Heimdal™ Threat Prevention - Network in the Heimdal Dashboard, you have to access the Settings section -> Perimeter tab -> Threat Prevention tab.
Enable Threat Perimeter - enables the Threat Prevention - Network module
Whitelist - allows you to whitelist a domain/sub-domain for the users in your network
Blacklist - allows you to blacklist a domain/sub-domain for the users in your network
Access Rule* - add your Public IP Address(es) to filter traffic through our DNS Servers. Here you can specify a Public IP Address or a Subnet
FILL CURRENT IP - automatically add your current Public IP Address in the Subnet field, getting it ready for being added as access rule
*WARNING: Once a new Access Rule is added for a Public IP Address or Subnet, it will be whitelisted in our database. Removing it from the Access Rules will stop the filtering through our DNS Servers and could cause connectivity issues on your DNS Server if you are still forwarding traffic through the Heimdal™ Threat Prevention - Network.
Setting up Heimdal™ Threat Prevention - Network on your DNS Server
To set up your DNS Server(s) to forward traffic to the Heimdal™ Threat Prevention servers, you need to add the following 2 IP Addresses as DNS Forwarders:
- 193.243.129.53
- 76.223.127.10