Akamai Diversity
Home > DNS > What makes a good "DNS Blacklist"? - Part 1

What makes a good "DNS Blacklist"? - Part 1

Reflections on Modern Actionable Threat Intelligence used to turn a DNS Resolver into a Critical Security Tool

Akamai has just launched the Enterprise Threat Protection (ETP) platform. ETP is built on Akamai's global AnswerX Cloud that now reaches 28 countries and is expanding to new countries every month. As a new player in Cloud DNS resolver services, competitors will ask "why Akamai?" or "what gives Akamai the knowledge and capacity to build effective DNS blacklists?" These are good questions from our competition, and are also questions that our customers should ask. Let's explore why Akamai is in a unique position to help enterprises and carriers use Akamai's Cloud Security Intelligence (CSI) as a DNS Security Policy tool.

First, remember that Akamai is now a major security company. Everything Akamai deploys for our customers has security in the forefront. For Akamai, it is not a matter of when we get attacked, probed, abused, and DOSed, it is a matter of how many attacks per hour we receive on our services. Akamai has leveraged this "constantly under attack" experience into unique solutions for all our Cloud and Enterprise Security Solutions.

Good DNS Blacklist Fig1.png

Second, because of the high volume of attacks on Akamai services, Akamai is positioned to collect security information from unique points of view. Akamai's vast planet-wide, cloud-based deployments, along with Akamai's collaborative architecture, create a unique "security surface area of threat detection". No other network has the global range, traffic depth, or Internet telemetry that Akamai does. Akamai leverages our security telemetry for all our security services.

Third, the idea of using the DNS resolution path as a security tool was pioneered by what is now the Akamai AnswerX Team (the platform upon which ETP is built). All the way back in 2006, the original AnswerX Team built a DNS resolver platform that validated DNS queries against several DNS black lists in real time. Simplicita (the team that became Xerocole and was acquired by Akamai in 2015) collected every feasible "black list" and turned that into what we now call a "DNS Firewall". That list was extensive:


2006 Reputation Data Sources compatible with AnswerX & the Reputation Knowledge System (RKS)

Reputation List

Provider

Type

Key

Various botnet lists

[private]

Botnet

IP, Domain

MAPS Feedback and DNSBL

trendmicro.com

DNSL, feedback

IP

Sophos spam alerts

sophos.com

Alerts

IP

SenderIndex, SafeList

habeas.com

Certify

IP

Internal: syslog, DB, network elements, app servers

Service provider

Internal reputation

IP, Domain

CBL

cbl.abuseat.org

DNSBL

IP

Bogons, badwhois, hijacked

completewhois.com

Whois Information

Domain

Bogons

cymru.org

Spoofing

IP

DSBL

dsbl.org

DNSBL

IP

DDOS IPs from firewall data

dshield.org

DDOS

IP

DUL, Zombie, HTTP, SOCKS, Misc, SMTP, Web, Spam

sorbs.net

DNSBL

IP

SPEWS, SPEWS2

spews.org

DNSBL

IP

DNS deny

rsa.com

Phishing

IP

Level1, Level2, Level3

uceprotect.net

DNSBL

IP

VIRBL

virbl.bit.nl

Virus information

IP

BOPM

blitzed.org/bopm

Proxy information

IP

Domain block list - baseline, incremental

jwSpamSpy.net

RHSBL

Domain

Spam domains

mailpolice.com

Spam

RHSBL

Phish detection and response

markmonitor.com

Phish

Domain

List of open DNS servers

public service

DNS Information

IP

The Internet Filter

research.turner.com

RHSBL

Domain

eFraudNetwork

rsa.com

Phish

IP

Tracked botnet C&C networks

shadowserver.com

Botnet

IP

Spamcop

spamcop.net

DNSBL

IP

SBL / XBL / PBL

spamhaus.org

DNSBL

IP

SC, WS, OB, AB, Multi

surbl.org

RHSBL

Domain

VDL

verisign.com

Certify

Domain

Cloudmark bot list

cloudmark.com

Bot

IP

Castle Cops

castlecops.com/pirt

RHSBL

Domain

Damballa

damballa.com

Botnet

IP, Domain


Akamai has combined AnswerX's decade of experience with Akamai's huge threat intelligence capabilities. The AnswerX team adds the experience pulling in multiple reputation knowledge feeds, building mitigation/remediation logic around those feeds, and ensuring the "DNS Firewall" meets all the customer expectations.  It is only logical for Akamai to take all this experience and offer it to our customers as our new ETP service.

Akamai does not stop there. We are known for being the widgets that help others succeed. That is why Akamai offers AnswerX to our Carriers, Communications Service Providers (CSP), and other vendors looking to deploy their own version of a DNS Firewall.  Akamai's AnswerX Licensed or AnswerX Cloud integrates with multiple threat feed partners. SURBL, Symantec, and Threatstop are three examples of Threat Feed Partners that Akamai has integrated into AnswerX. Now a carrier can build their own service, pulling in DNS Threat Feeds from Akamai and our partners, and tune those services to their specific customer expectations. Akamai has carrier partners in different parts of the world who use AnswerX as the "platform," pull in multiple DNS Threat Reputation feeds, customize the DNS Threat Feeds for their services. These services range from DNS based anti-phishing, to  anti-malware, to botnet protection, to anti-phishing, to parental control, to WIFI/Small Business threat protection,  and to many other services.

While today's reputation, threat, security, and other knowledge sources are different, what has not changed is the flexibility and experience. Akamai's ETP has the benefit of experience. We understand the threats and know that our customers need to go beyond "DNS blacklist." Akamai ETP Team took a different approach to the threat detection response. In fact, what the industry needs is a dynamic DNS Threat Policy that pulls in live threat data from across all of the Akamai's ETP and AnswerX customers while tuning to the specific threats in single Enterprise.

To understand Akamai's thinking, it is best to review factors that have effective DNS Threat Policies. We will explore these factors as a checklist of questions to ask the DNS Threat Policy providers in part 2.

Leave a comment