Introduction
NetOptiq, in collaboration with Karunya Institute of Technology and Sciences, has developed zDNS, an innovative Domain Name Server (DNS) filtering service. This cutting-edge solution, developed between December 2023 and January 2024, leverages threat intelligence feeds and advanced AI/ML techniques to enhance cybersecurity measures.
Architecture Overview
The zDNS system employs a sophisticated architecture that combines on-premises server components with cloud-based infrastructure:
Server Components
- Unbound Cache DNS:
- DNS Cache Proxy: Handles initial DNS requests
- DNS Resolver: Resolves domain names
- Redis Cache: Improves performance by caching resolved queries
- Blacklist DB: Stores known malicious domains
- Threat Intelligence Feeds: Continuously updates the system with the latest threat data
- AI Engine: Employs machine learning models for real-time threat detection
Cloud Infrastructure
- Load Balancer (HAProxy): Distributes incoming traffic across the Kubernetes cluster
- Kubernetes Cluster: Manages containerized applications for scalability and reliability
- Log DB: Stores system logs for analysis and auditing
- Alerting and Monitoring Engine: Provides real-time system health and threat alerts
Key Features
AI/ML Capabilities
The zDNS system boasts impressive AI/ML capabilities, particularly in Domain Generation Algorithm (DGA) classification:
- Naive Bayes model: 99.65% accuracy
- DistilBERT model: 99.4% accuracy
These high-accuracy models enable the system to effectively identify and block malicious domains generated by DGAs, a common technique used by malware to evade detection.
Backend Analysis
The backend of zDNS incorporates multiple analysis techniques:
- PCAP Analysis: Examines network packet captures for deep traffic inspection
- Zeek Analysis: Utilizes the Zeek Network Security Monitor for advanced network analysis
- Log Parsing: Efficiently processes system logs for threat indicators
- Regex Blocking: Implements pattern-based blocking for flexible rule creation
Frontend Visualization
zDNS employs Grafana for its frontend, providing intuitive dashboards and visualizations of network activity, threats, and system performance.
Unbound Integration
The system integrates machine learning capabilities directly into the Unbound DNS resolver, allowing for real-time, AI-driven decision-making on DNS queries.
STIX/TAXII Implementation
A notable feature of zDNS is its implementation of a STIX/TAXII server, adhering to international standards for threat intelligence sharing:
- STIX (Structured Threat Information eXpression): Provides a standardized language for describing cyber threat information
- TAXII (Trusted Automated eXchange of Intelligence Information): Defines protocols for securely exchanging cyber threat intelligence
This implementation enhances the system's ability to consume and share threat data with other security tools and organizations, fostering a collaborative approach to cybersecurity.
Compliance with International Standards
zDNS adheres to several international standards and best practices:
- ISO/IEC 27001: Information security management
- NIST Cybersecurity Framework: Guidelines for managing and reducing cybersecurity risk
- GDPR: Ensures proper handling of personal data in DNS queries
- MITRE ATT&CK Framework: Aligns threat detection with widely-recognized attack techniques
Conclusion
zDNS represents a significant advancement in DNS filtering technology, combining state-of-the-art AI/ML techniques with robust threat intelligence capabilities. Its high-accuracy models, comprehensive backend analysis, and adherence to international standards make it a powerful tool for organizations seeking to enhance their cybersecurity posture. As cyber threats continue to evolve, solutions like zDNS play a crucial role in maintaining a secure digital environment.