Sunday, November 10, 2013

Blocking Dynamic DNS sites

Going through proxy and DNS logs, I noticed that (as a whole) the company has not been blocking sites categorized as "Dynamic DNS."  I discovered this while reviewing a "security" report that lists the various site activity that would fall into the generic "security" report.  Interestingly enough, no Dynamic DNS sites were blocked.

Dynamic DNS is hosting for sites that do not have static IP address.  Mostly, it is used by three types of users:  hobbyists who do not want to pay for a static IP address for their site; spammers and scammers; and sites that are out rightly malicious.  Bot herders prefer to use Dynamic DNS sites as they can rotate servers in and out of rotation in order to make it more difficult to track down and mitigate.  Further, many times the registrar information for suspicious sites is obfuscated in order to make it harder to find the owners.  There is rarely a business case to allow Dynamic DNS sites.

With those points in mind, I presented the case to block all Dynamic DNS-hosted sites.  If there are truly legitimate sites that users need to access, we can re-evaluate on a case-by-case basis and adjust the filters.  So far, it looks like the decision has been favorable.

No comments:

Post a Comment