Domains of Grey: Using DNS Greylisting for Defense

October 20, 2016 -

Bookmark and Share

Eric Rand

DNS greylisting shows promise as a means for mitigating phishing, botnet C2, and certain kinds of ransomware infections. By delaying the resolution of domains previously unseen on a network, network administrators can force attackers’ costs up and effectiveness down, making their networks much less desirable to attack.

This allows admins to mitigate poorly-retained counter-phishing user training [by disabling the usual use-case for most phishing and spearphishing domains during the time they are most likely in use], disable fast-changing DGA-derived malware C2 domains [by causing such domains to fail to resolve during the time they are active], and – even better – provide a means for admins to observe such attacks in progress, and allow time for the admin to counter them before they succeed.

Additionally, the basic requirements for setting up a greylisting DNS proxy grant significant security benefits to the network on their own, encouraging the adoption of good practice network administration procedures.