- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
As DNS Security (Domain Name System) traffic becomes increasingly more of a target for hackers, it is crucial that security vendors stay up to date on the latest threats to ensure their customers do not fall victim to DNS attacks. That is why Palo Alto Networks recently launched a new detection that captures malicious domains abusing wildcard DNS records in real time to help identify penetration activities as soon as possible.
Wildcard records facilitate DNS management in many constructive operations; however the flexibility of wildcard records also provides attackers with a variety of options for executing attacks with greater efficiency. Distinguishing between domains using wildcard records for benign and malicious purposes poses a nontrivial challenge. This is where our new detector comes into play to protect our customers by efficiently flagging domains that use wildcard DNS records for questionable or malicious activity.
DNS maps names to addresses so that computers can communicate. The directions within the DNS exist largely in records where a specific FQDN (fully qualified domain name) is mapped to pieces of data, such as an IP address. As the name suggests, wildcard DNS records are an exception to this pattern. Wildcard DNS abuse allows many domain names to be mapped to the same data, therefore allowing attackers to easily direct users to malicious hosts via an infinite number of domain names.
In recent weeks, we have been running this detector and have identified over 4,000 domains abusing wildcard DNS for questionable purposes, including black hat SEO(search engine optimization) campaigns, or to promote sites related to gambling, phishing, adult content or questionable video streaming sites.
We leverage a large passive DNS data set to effectively identify domains using wildcard DNS records while this new detection uses mechanisms such as ML-powered domain analysis, DNS full-zone analysis, web content analysis (rate at which web page content changes) to identify abused wildcard records.
Detections of Wildcard DNS abuse are released in real time under the Grayware category which is a part of the PAN-OS 10.0 release. Customers can then allow, block or alert these detections based on their policy for handling Greyware. Customers with PAN-OS 10.0 or later are able to benefit from this new detection. To learn more about how the our security services can protect your network traffic from threats, sign up for:
Additional Information
Palo Alto Networks: Disrupt DNS-Based Attacks
Unit 42—Play Your Cards Right: Detecting Wildcard DNS Abuse
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
4 Likes | |
3 Likes | |
2 Likes | |
1 Like | |
1 Like |