FTD DNS Security

  • Post author:
  • Post category:Cisco / FTD

Cisco FTD DNS based Security Intelligence allows you to identify a suspicious DNS query and blacklist the resolution of the dubious domain. When using DNS security provided by the FTD, it blocks the request for the suspicious domain before an HTTP connection is even established, saving resources.

DNS Filtering can be performed in 3 ways: –

  • Cisco TALOS maintains a database of known bad DNS domains, these are updated and downloaded regularly by the FMC as a feed.
  • Filtered manually from the FMC Connection Events page using Global DNS Whitelist and Global DNS Blacklist.
  • A custom DNS Feed/List

A DNS Policy is defined which can take the following actions: –

Action Description
Whitelist Allows matching traffic to pass
Monitor Does not affect traffic flow, traffic is neither whitelisted nor blacklisted. Traffic is evaluated against other rules to determine whether it would permit or deny.
Drop (Blacklist) Drops the traffic
Domain Not Found (Blacklist) Returns a non-existent domain name (NXDOMAIN) response to the DNS query
Sinkhole (Blacklist) DNS returns a sinkhole IP address in response to the query. The sinkhole can log, or log and block

This blogpost covers creating a custom DNS list and demonstrating using the TALOS feed to block known malware.

Firepower Configuration

Create DNS Lists

  • Create a text file called DNF-List.txt for a list of domains to test the Domain Not Found action
  • Add the FQDN’s to be blacklisted (Domain Not Found) – e.g. yahoo.co.uk
  • Save the text file to the local computer

Create Custom DNS Feed

  • Login to the FMC
  • Navigate to Objects > Object Management > Security Intelligence > DNS Lists and Feeds
  • Click Add DNS Lists and Feeds
  • Name the List appropriately, e.g. Custom-DNF-List
  • From the Type: drop-down list, select List
  • Click Browse and select the text file called DNF-List.txt created previously
  • Click Upload, once uploaded select Save

Create Sinkhole

  • Navigate to Objects > Object Management > Sinkhole
  • Click Add Sinkhole
  • Name the Sinkhole appropriately, e.g. DNS-Sinkhole
  • Enter an IPv4 address (publicly routable e.g. 11.11.11.11 so the traffic would be routed outside of the local network)
  • Click Block and Log Connections to Sinkhole
  • Leave Type as None
  • Click Save

Create a DNS Policy

  • Navigate to Policies > Access Control > DNS
  • Click Add DNS Policy
  • Click Add DNS Rule
  • Enter and appropriate name e.g. DNF
  • Ensure Enabled is checked
  • Select the Action as Domain Not Found
  • Define the Source Zone(s) as the Inside Zone
  • Click the DNS tab
  • Select the custom DNS list called Custom-DNF-List previously created
  • Click Add once complete
  • Click Save

  • Click Add DNS Rule
  • Enter and appropriate name e.g. Malware
  • Ensure Enabled is checked
  • Select the Action as Sinkhole
  • A drop-down list called Sinkhole will appear, select the custom Sinkhole previously created
  • Define the Source Zone(s) as the Inside Zone
  • Click the DNS tab
  • Select the built-in Cisco Security Intelligence feed called DNS Malware
  • Click Add once complete

  • Click Save to save the policy

 

Attach the DNS Policy to the Access Control Policy

  • Navigate to Policies > Access Control > Access Control
  • Modify the existing Access Control Policy
  • Click the Security Intelligence tab
  • From the DNS Policy drop-down list select the DNS Policy previously created
  • Click Save

Deploy the Policy

  • Deploy the Policy to the FTD

Verification

  • Run wireshark on a workstation and filter on DNS
  • Run nslookup on yahoo.co.uk (this domain was defined in the Domain Not Found list)

The output of the nslookup will confirm the response “Non-existent domain”

The output of the wireshark capture will confirm the response “no such name”.

  • Login to the CLI of the FTD and enter expert mode
  • Change the current directory to the Security Intelligence directory with the command cd /var/sf/sidns_download
  • List the contents of the directory using the command ls -l

Each file represents a DNS Security Intelligence List/Feed used when creating the DNS Policy, within each file contains thousands of domains.

  • Use the command grep ‘Malware’ <FILENAME> with each file until the correct file has been determined

  • Use the command cat <FILENAME> to list all the current domains identified as hosting Malware

  • Run wireshark on a workstation and filter on DNS
  • Run nslookup on a couple of the domains from the list

The output of the nslookup will confirm the address of the sinkhole 11.11.11.11

The output of the wireshark capture will confirm the sinkhole address 11.11.11.11

Access the Security Intelligence Events on the FMC. You will confirm the DNS queries matched the correct action Sinkhole or Domain Not Found.

 

Global DNS Whitelist/Blacklist

To manually add a website to the Global DNS Whitelist/Blacklist

  • Open the Connection Events and locate the DNS Query to be listed.
  • Locate the DNS Query
  • Right click and select either “Blacklist DNS Requests….” Or “Whitelist DNS Requests….”

  • To un-list Navigate to Objects > Object Management > Security Intelligence > DNS Lists and Feeds
  • Select the appropriate list “Global-Whitelist-for-DNS” or “Global-Blacklist-for-DNS” and edit
Tags: , , ,