Heimdal™ Threat Prevention - Network overview

In this article, you will learn everything you need to know about the Heimdal™ Threat Prevention - Network module.

1. Description
2. Heimdal™ Threat Prevention - Network Settings
3. Setting up Heimdal™ Threat Prevention - Network
4. Adding the Threat Prevention - Network DNS Forwarders (on Windows Server)
5. Adding the Threat Prevention - Network DNS Forwarders (on Ubuntu/Debian)

Description

Heimdal™ Threat Prevention - Network is a blacklisting (filtering) solution for DNS requests using multiple sources. Compatible with any existing Antivirus software, the Heimdal™ Threat Prevention - Network feature is a solution for securing DNS traffic by pre-emptively blocking malicious domains and communications to and from C&C, Phishing, and generally malicious servers.

As of August 17^th, 2020, Heimdal™ Security (HEIMDAL™) has completed its DNS neural network program for enriching its Heimdal™ Threat Prevention - Network filtering engine with unparalleled neural AI capabilities. Heimdal™ Threat Prevention - Network provides unparalleled threat prevention capabilities to thousands of enterprises across the globe.

Now, in an unprecedented move, the Machine Learning (ML) engineers at HEIMDAL™ have successfully built and trained a neural network for Heimdal™ Threat Prevention - Network (and for the DarkLayer™ Guard product) that enables the prediction of malicious DNS. Employing an outstanding amount of gradient-boosting decision trees and over 24 DNS features and criteria, the new neural network AI is state-of-the-art.

Afterward, by using the original intelligence and data provided by the rest of the security solutions in HEIMDAL™’s unified E-PDR (Endpoint Prevention Detection and Response) suite, the neural network is able to trace complex patterns of correlation between the DNS linguistical characteristic features from the training corpus. The training of the neural network results in a significantly improved detection rate of potentially malicious domains, as well as a decrease in the number of false positives flagged.

HEIMDAL™ has doubled the rate of correct detections and predicted future domains that are bound to be registered, and unlocked the algorithm’s capacity to detect malicious domains that would have normally escaped detection by the human eye. Combined with the VectorN Detection™ engine’s power, it will be it will virtually be unstoppable against all malicious attack attempts on enterprise security.

In the following chapter, you will see how this service is configured on your DNS Forwarder (server) and how to point to the Heimdal™ Threat Prevention - Network service.

Heimdal™ Threat Prevention - Network settings

In order to set up Heimdal™ Threat Prevention - Network in the Heimdal Dashboard, you have to access the Network Settings section -> Threat Prevention tab.
DarkLayer Guard - turn on/off the Threat Prevention - Network module;
Whitelist - allows you to whitelist a domain/sub-domain for the users in your network;

Blacklist - allows you to blacklist a domain/sub-domain for the users in your network;
Access Rule* - add your Public IP Address(es) to filter traffic through our DNS Servers. Here you can specify a Public IP Address or a Subnet;

FILL CURRENT IP - automatically add your current Public IP Address in the Subnet field, getting it ready for being added as an Access Rule.

*WARNING: Once a new Access Rule is added for a Public IP Address or Subnet, it will be whitelisted in our database. Removing it from the Access Rules will stop the filtering through our DNS Servers and could cause connectivity issues on your DNS Server if you are still forwarding traffic through the Heimdal™ Threat Prevention - Network.

Setting up Heimdal™ Threat Prevention - Network

To set up Heimdal™ Threat Prevention - Network please follow the steps below:
1. Log in to the Heimdal Dashboard.
2. Access the Network Settings section.
3. From the Threat Prevention tab, make sure the DarkLayer Guard™ module is turned ON.
4. In the Access Rule section, add your Public IP Address(es) (Name and Subnet required) and press the Update Network Settings button. You can add one or multiple Public IP Addresses with the following subnets: /32, /31, and /30. For larger ranges, please get in touch with corpsupport@heimdalsecurity.com. 

Adding the Threat Prevention - Network DNS Forwarders (on Windows Server)

In order to implement Heimdal™ Threat Prevention - Network in your organization, you will need to configure the DNS Server(s) in your organization to use the following IP Addresses as DNS Forwarders:

• 193.243.129.53
• 76.223.127.10
• 185.113.230.53 (former SecureDNS Resolver)
• 185.113.231.53 (former SecureDNS Resolver)

To set up DNS Forwarding on your DNS Server, you need to follow the steps below:
1. Open the DNS Manager from the Server Manager.2. Right-click on the DNS Server and select Properties.3. Select the Forwarders tab and click the Edit button.
4. Insert the DNS IP Addresses (193.243.129.53 and 76.223.127.10) and hit Enter after each IP Address. After entering both IP Addresses, press OK.

The DNS Forwarders should look like this:

5. After configuring the DNS Forwarders, you can test if Heimdal™ Threat Prevention - Network is working by accessing the website notblockedbyheimdalsecurity.com. If the text on the site says "Heimdal Security has blocked this page.", this means that Heimdal™ Threat Prevention - Network is working properly.

Here is a how-to change the DNS Forwarder on Windows Server:

Adding the Threat Prevention - Network DNS Forwarders (on Ubuntu/Debian)

In order to implement Heimdal™ Threat Prevention - Network in your organization, you will need to configure the DNS Server(s) in your organization to use the following Threat Prevention Network IP Addresses as DNS Forwarders:

• 193.243.129.53
• 76.223.127.10
• 185.113.230.53 (former SecureDNS Resolver)
• 185.113.231.53 (former SecureDNS Resolver)

To set up DNS Forwarding on your DNS Server, you need to follow the steps below:

1. Open the interfaces file (/etc/network/interfaces) for editing:

sudo nano /etc/network/interfaces

2. Add the following settings:

auto eth0
iface eth0 inet static
 address 192.168.1.2 #an IP at your choice
 netmask 255.255.255.0 
 gateway 192.168.1.1
 dns-nameservers 185.113.230.53 185.113.231.53

3. Open the resolv.conf file (/etc/resolv.conf) for editing:

sudo nano /etc/resolv.conf

4. Add the following settings:

nameserver 193.243.129.53
nameserver 76.223.127.10
#options edns0

5. Reboot the machine.
6. Update the apt package cache by typing:

sudo apt-get update

7. Install BIND on the DNS Server.

sudo apt-get install bind9 bind9utils bind9-doc

8. Open the named.conf.options file (/etc/bind/named.conf.options) for editing:

sudo nano /etc/bind/named.conf.options

9. Add the following settings:

options {
 directory "/var/cache/bind";

 // If there is a firewall between you and nameservers you want
 // to talk to, you may need to fix the firewall to allow multiple
 // ports to talk. See http://www.kb.cert.org/vuls/id/800113

 // If your ISP provided one or more IP addresses for stable
 // nameservers, you probably want to use them as forwarders.
 // Uncomment the following block, and insert the addresses replacing
 // the all-0's placeholder.

        forwarders {
              193.243.129.53;
              76.223.127.10;
        };
 //========================================================================
 // If BIND logs error messages about the root key being expired,
 // you will need to update your keys. See https://www.isc.org/bind-keys
 //========================================================================
        dnssec-validation no;
        auth-nxdomain no; # conform to RFC1035
        listen-on-v6 { any; };
};

10. Restart bind using the following command line:

sudo systemctl restart bind9

11. In case there's a firewall rule blocking port 53, you can unblock it with the following command line:

sudo ufw allow 53

12. After configuring BIND, you can test if Heimdal™ Threat Prevention - Network is working by accessing the website notblockedbyheimdalsecurity.com. If the text on the site says "Heimdal Security has blocked this page.", this means that Heimdal™ Threat Prevention - Network is working properly.


IMPORTANT
Please note the fact that it can take 30 to 60 minutes from changing your DNS Forwarders until you see the correct blocking page. Your protection is, however, in place immediately after changing forwarders.

It is possible to set additional DNS Forwarders, both internal and external, but we do NOT recommend this. Due to the nature of DNS Servers, you risk bypassing Heimdal™ Threat Prevention - Network for a prolonged period of time and thereby removing your Heimdal™ Threat Prevention - Network protection.