The Challenge
Cyber criminals are keen to abuse someone else’s well-equipped network, so ISP and hosting environments are targeted by malicious actors keen to insert malware and botnets that can infect across a network.
Email filtering and anti-spam measures can block most phishing attempts but there is always the risk that a customer will unwittingly respond and allow access to malware. So there is always a risk of getting infected, or have infections that might spread to others.
The challenge for XS4ALL is to provide protection without impacting the demand for high-volume, high-speed connectivity and give customers a choice of the security profile that’s right for them.
The Solution – PowerDNS with DNS Firewall Threat Feeds
XS4ALL runs PowerDNS Recursor for its DNS resolution because it has a native implementation to receive an AXFR/IXFR data feed for industry standard Response Policy Zone handling. With the release of version 4.0 of PowerDNS Recursor, XS4ALL was able to configure Response Policy Zones into the resolution process for the first time.
The new 4.0 version has an extra feature which enables active lookup of a configuration for the client that queries the resolvers. This enabled XS4ALL to make DNS Firewall malware filtering optional, with each customer able to chose it as an added security service.
Implementation of DNS Firewall was straightforward given the version of PowerDNS Recursor, the main volume of work required was to configure XS4ALL’s systems to provide this as a customer option.
The Results – thousands of malicious connections blocked daily
After a careful checking of a PowerDNS setup with mirrored traffic and reviewing the volumes of suspicious queries, DNS Firewall was made operational as an option to customers. When enabled, customers drastically cut down on malware traffic from links in already downloaded email messages that they clicked on accidentally.