New Wildcard DNS Abuse Detection for DNS Security

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L2 Linker

DNS Security introduced a new detection to block malicious domains that abuse wildcard DNS records to create malicious subdomains with high reputation that attackers can use to hide.DNS Security introduced a new detection to block malicious domains that abuse wildcard DNS records to create malicious subdomains with high reputation that attackers can use to hide.

 

As DNS Security (Domain Name System) traffic becomes increasingly more of a target for hackers, it is crucial that security vendors stay up to date on the latest threats to ensure their customers do not fall victim to DNS attacks. That is why Palo Alto Networks recently launched a new detection that captures malicious domains abusing wildcard DNS records in real time to help identify penetration activities as soon as possible.

 

Wildcard records facilitate DNS management in many constructive operations; however the flexibility of wildcard records also provides attackers with a variety of options for executing attacks with greater efficiency. Distinguishing between domains using wildcard records for benign and malicious purposes poses a nontrivial challenge. This is where our new detector comes into play to protect our customers by efficiently flagging domains that use wildcard DNS records for questionable or malicious activity.

 

What is Wildcard DNS Abuse?

DNS maps names to addresses so that computers can communicate. The directions within the DNS exist largely in records where a specific FQDN (fully qualified domain name) is mapped to pieces of data, such as an IP address. As the name suggests, wildcard DNS records are an exception to this pattern. Wildcard DNS abuse allows many domain names to be mapped to the same data, therefore allowing attackers to easily direct users to malicious hosts via an infinite number of domain names.

 

In recent weeks, we have been running this detector and have identified over 4,000 domains abusing wildcard DNS for questionable purposes, including black hat SEO(search engine optimization) campaigns, or to promote sites related to gambling, phishing, adult content or questionable video streaming sites.

 

How do we detect Wildcard DNS Misuse?

We leverage a large passive DNS data set to effectively identify domains using wildcard DNS records while this new detection uses mechanisms such as ML-powered domain analysis, DNS full-zone analysis, web content analysis (rate at which web page content changes) to identify abused wildcard records.  

 

When will Detection of Wildcard DNS abuse be available in DNS Security?

Detections of Wildcard DNS abuse are released in real time under the Grayware category which is a part of the PAN-OS 10.0 release. Customers can then allow, block or alert these detections based on their policy for handling Greyware. Customers with PAN-OS 10.0 or later are able to benefit from this new detection. To learn more about how the our security services can protect your network traffic from threats, sign up for:

 

 

Additional Information

Palo Alto Networks: Disrupt DNS-Based Attacks

Unit 42—Play Your Cards Right: Detecting Wildcard DNS Abuse

 

Register or Sign-in
Labels