Over the last few months I have been reviewing several products on the market to include automation tools, big data ingestion pipeline tools as well as security devices that can prevent intrusions (IPS devices). One thing we are seeing is that innovation in the security space is pretty stagnant and still very much reactive instead of proactive. We have been working on automation to not only detect bad and malicious contact but also to automatically protect against intrusions and attacks by using a little known feature in DNS called the Response Policy Zone (or RPZ).
RPZ has been in Jigsaw Products since it was first introduced in 2010 by the Bind9 DNS authors. In essence what the RPZ feature does is present incorrect information to malware so that it cannot download payloads for infection. We have published some examples of this and it is a feature that is enabled in the Pi-Hole DNS appliance that will run on a Raspberry Pi 3.
Jigsaw Security has made our security threat intelligence data available to many open source projects in the past to include Snort, Zeek (Formerly Bro), Bind DNS Servers and now Pi-hole™. It should be noted that Pi-hole™ is a registered and trademarked open source project and that we are in no way responsible for the software itself, only that we provide data that can be used by Pi-Hole to protect networks from various types of attacks to include phishing and malware that uses DNS to call home and that we have observed elsewhere is our customer and internal networks. Once we see a domain being abused once, it is blocked for a period of time until the threat has been alleviated and/or the malicious payloads have been removed.
In this blog post we will talk about the feature of Pi-hole™ when used with the Jigsaw Security Threat Intelligence data feed. To understand why our solution is as powerful as it is we must first take a look at what Pi-hole™ does for end users.
Under the hood with Pi-hole™
So there are many ways to install Pi-hole™ to include using it on a Raspberry Pi, installing it on a Linux based server or even running it in a Docker image. We really like using it on a Raspberry Pi because we can simply load it on the device, plug it into the network and configure everything with a web browser. We have had performance issues that are present because our block list is over 2 million domains strong currently so that's a lot of domains to store in memory. Also depending on the number of end users, installing Pi-hole™ on a standard server allows the server to better serve up more concurrent clients at the same time.
As of the writing of this post Pi-hole™ is at version 5 release and is considered very stable.
How does it protect my network?
I personally use the Pi-hole™ software to protect against malware but originally it was designed to block ads. Ad blocking makes the Internet faster and also prevents some tracking of individual activity. While it was written to specifically block ads, creating custom list of domains associated with malware has the effect of rendering phishing campaigns and malware payload sites unavailable to your networked devices by lying to them when they ask for a bad domain. Think of it as a traffic cop that looks to see if the requested resource is a known bad domain. In addition it can also be used to block applications or content if you block domains that are serving the contact that you want to make unavailable to your end users.
One of the newest features is the ability to create groups. These groups can allow some machines to be able to access things that others cannot. These groups can be setup also with different purposes. For instance, if you have a mail server on your network, you will want to ensure that mail server can resolve the MX records of all mail servers on the Internet. Creating a group that allows all queries to process would be the desired outcome. Even if the mail server can resolve all mail destinations, you can put your clients in a group that still blocks malicious payloads that may show up as phishing attacks.
End users can also add domains to the blocklist or whitelist domains that they wish to allow. This product is low cost at under $100 for the hardware and can be supplemented with domain data from any number of security providers.
Pi-hole™ is a registered trademark of Pi-hole LLC and is used as fair use. For more information visit this page. Pi-hold™ LLC has not endorsed the use of our data with the Pi-hole™ code.