Today we will talk about phishing and how filtering the Domain Name System request it can help us to achieve falling into the trap. But before this, some basics.
Domain names serve as memorizable names for websites and other services on the Internet. However, computers access Internet devices by their IP addresses. DNS translates domain names into IP addresses, allowing you to obtain an Internet location by its domain name. Think of a DNS server as a Rolodex you would use to call a friend and know which phone number you need to dial. That is how the Internet works too. It uses IP addresses instead, and we use domains rather than names, but you see that the concept is the same.
How a DNS request works?
This image will explain. Notice I am voluntarily oversimplifying this explanation. Technically it is a bit more complex:
A user types a domain name, customarily named FQDN, Fully Qualified Domain Name, which triggers a query sent to the DNS server that will provide the IP address for that site. That IP address is the one used by the user’s device to establish a connection with the server behind and will initiate the communication.
Now, let’s say you receive an email claiming you have some messages that were quarantined by your email provider, and if you do not log into the system immediately, said emails would be deleted. Forever. And, of course, the email contains a link to access to those messages. Well, I know that a vigilant user like you will never click since this email falls under the three clues rule:
- It urges you to perform an action
- Not doing said action will have horrendous consequences
- It provides you an easy way, a link, to prevent all that
But, bear with me, and let’s imagine you click in that link. By doing so, your browser will receive the request to query your DNS server for the FQDN provided, and once received the IP address of the server hosting that site, it will take you there. At this stage, you are still safe, since what you see is a Microsoft Office 365 login page and it turns out you are using that email service, so it does not trigger any alarm for you. Should you continue, though, and provide your credentials, you would probably get an error stating that your credentials are wrong, even if you are 100% sure you correctly typed your password. It would be at that very moment when your account would be compromised.
In the scenario I just wrote, you might have thought there are some ways to avoid or prevent any huge damage:
- Anti-phishing system
- User training
- Multi-Factor Authentication
We will talk about these soon, but for now, let’s just stick to one of the measures we can have to avoid this, the goal of this blog post, securing our DNS requests.
Solutions to the problem
If instead of using a DNS server that will not filter any request, we use one that does some filtering, the moment you click in the link you would see a warning message or, even better, a blocking message that would stop you from visiting that site. And the risk would be reduced to zero.
I am not going to compare the services available for doing that since this blog post would become way too long. But at least I will name a few, and you can add the ones you know in the comments, this way we can have a pretty complete list.
I have not included Google’s 126.96.36.199 because its goal is not blocking phishing sites, rather speed up DNS queries, although it does prevent some attacks. Maybe you have some information about this.
Which one is the best? All of them are good. The difference comes with the options they provided. The ones with lots of them are OpenDNS, specially the corporate option named Umbrella, TitanHQ, and also Pi-Hole, targeting more adblocking although it does include some list of known malware/phishing sites. Cloudflare and Quad9 do not have any option to configure, at least at the moment of writing this blog post.
That’s all for now. I hope you liked the blog post and please, do share your thoughts using the comments section below.