The DNS system offered by Yoroi is "armed" through a complex network of Threat Intelligence. The DNS- Defence service is able to recognize whether a domain resolution is malicious or not because it is present or not within Yoroi's threat intelligence. In case the domain resolution turns out to be malicious, then the domain name desired by the victim is present within the threat intelligence with a high confidentiality and with a high "score" (compromise index), the DNS server does not resolve the domain name with the real IP address but resolves the latter through a pre-configured IP address (syncHoling technique) with controlled content thus avoiding the initiation of the malicious connection. DNS (Domain Name System), was originally developed as open protocol and, for this peculiarity, today has to be considered vulnerable to cyber attacks. To better understand the associated risks it is sufficient to remind the vulnerability areas to whom we are all subjected:
- ● Footprinting: process potentially used by an attacker to learn the domain names, computer names and critical network resources IP addresses.
- ● Denial of Service Attack: attempt to deny network services availability via recurrent queries to the principal network servers.
- ● Data modification:: attempt by attackers who, after performing a successful footprint using DNS queries, try to use self generated IP packets to look like a valid network
- ● Participant causing, potentially, huge damages or infections..
- ● Redirection: Query redirection to servers controlled by the attacker in order to perform any possible malicious activity including, potentially, malware infiltration.
How threats are blockedEvery real connection needs a domain resolution in order to pick up the IP address on which to set the communication itself. Nowadays more and more often DNS services are used by attackers to prevent the simple technology called "black list" from blocking their threat. Through FastFlux and Domain Name Generation Algorithm (DGA) techniques simultaneous attackers abuse the use of the DNS protocol (UDP 53) to bypass perimeter filters both in data transmission and data reception. The DNS Defence service blocks this resolution avoiding any type of connection to domains considered infected or infectious. For example, an infected host attempts to contact their C2 to send information and/or request actions to be taken on the victim. The connection by the victim takes place after the IP address of the public host to be contacted has been obtained. The DNS Defence Service is inserted in this phase by returning an IP address controlled by the defender thus preventing Malware activation.
Available filtersThe Service offers DNS filters for the following categories:
- ● Advertising
- ● Search engines
- ● News
- ● Job hunting
- ● Generic websites
- ● Unwanted websites
- ● Dangerous Websites (Also thanks to the Yoroi Threat Intel)
- ● Social Networks
- ● Technology
- ● Messaging
- ● Free time