Using URLhaus as a Response Policy Zone (RPZ)

Published on 17th June 2019, 09:46:12 UTC


A few days ago, URLhaus, cracked 200,000 malware URLs tracked. The majority of the malware sites tracked by URLhaus are related to Emotet (aka Heodo), followed by Mirai, Gayfgyt and Gozi ISFB (aka Ursnif). But there are many other threats being tracked with the help of the infosec community. There are several ways how to utilize the data generated by the community to protect your network and users. This blog post is a short tutorial on how to use URLhaus as a DNS Response Policy Zone (RPZ).

What is RPZ? RPZ is a way to rewrite or block responses to DNS queries. It is sometimes also refered as DNS Firewall, as it allows system administrators to block access to certain domain names. Many different vendors and products support DNS RPZ these days, including Bind and PowerDNS. In this tutorial I will document how to use the URLhaus RPZ dataset with Bind. The setup has been tested on Ubuntu 18.04.2 LTS with Bind version 9.11.3, but it should work with any recent version of Ubuntu and Bind.

The URLhaus RPZ gets updated every 5 minutes and excludes the Alexa Top 1M sites to reduce the amount of false positives. Once implemented, URLhaus RPZ will prevent the resolution of domain names that are currently actively being used to distribute malware by returning NXDOMAIN (=domain name does not exist).

If you don't have Bind installed yet, we can do so by using apt-get:

sudo apt-get install bind9

Once Bind has been successfully installed, we need to configure Bind to use the URLhaus RPZ. To do so, we first need to edit /etc/bind/named.conf.local and add the following snipped at the end of the file:

//-------------------------------------------
// URLhaus RPZ
//-------------------------------------------
zone "urlhaus.zone" {
	type master;
	file "urlhaus.rpz";
	allow-query { any; };
	allow-update { none; };
	allow-transfer { none; };
};

In addition, we need to alter the existing options section in the same file (/etc/bind/named.conf.options) as follow:

options {
	[...]
	response-policy { zone "urlhaus.zone"; }
};

Last but not least, we need to download the URLhaus RPZ to the bind directory. We can do so by using the following wget command:

sudo wget -O /etc/bind/urlhaus.rpz https://urlhaus.abuse.ch/downloads/rpz/

To keep the local copy of the URLhaus RPZ updated, I recommend you to install a cronjob. We can setup such a cronjob that downloads the most recent dataset from URLhaus every 5 minutes with the command sudo vi /etc/crontab and by adding the following line at the end of the file:

*/5 *	* * *	root	wget -qO /etc/bind/urlhaus.rpz https://urlhaus.abuse.ch/downloads/rpz/

Optional: If we want to log DNS queries that have been blocked by URLhaus RPZ into a separate file, we need to edit /etc/bind/named.conf.options again and add the following section (e.g. at the end of the file):

logging {
        channel rpzlog {
                file "urlhaus-rpz.log" versions unlimited size 1000m;
                print-time yes;
                print-category yes;
                print-severity yes;
                severity info;
        };

	category rpz { rpzlog; };
};

That's it, we are done! Don't forget to restart Bind so that new configuration gets applied. We can do so by running the command service bind9 restart. We can verify that URLhaus RPZ has been loaded by taking a look at /var/log/syslog. We should find something like this there:

Jun 14 11:53:54 ubuntu named[1640] (re)loading policy zone 'urlhaus.zone'
Jun 14 11:53:54 ubuntu named[1640] zone urlhaus.zone/IN: loaded serial 1906141134

We can test our setup by executing the following command on the DNS server: dig @localhost testentry.rpz.urlhaus.abuse.ch. This should generate an output that looks like this (take a note of status: NXDOMAIN and urlhaus.zone. 30 IN SOA rpz.urlhaus.abuse.ch. which should both appear in the output of the executed command):

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55930
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;testentry.rpz.urlhaus.abuse.ch.			IN	A

;; ADDITIONAL SECTION:
urlhaus.zone.		30	IN	SOA	rpz.urlhaus.abuse.ch. hostmaster.urlhaus.abuse.ch. 1906141134 3600 1800 604800 30

Congratulation, we are now protected by the URLhaus RPZ!. If you have activated logging, DNS queries blocked by URLhaus RPZ should appear in the corresponding log file (on a Bind default installation on Ubuntu, the file should be located under /var/cache/bind/urlhaus-rpz.log):

14-Jun-2019 12:33:50.92 ubuntu: info: client XXX (testentry.rpz.urlhaus.abuse.ch): rpz QNAME NXDOMAIN rewrite testentry.rpz.urlhaus.abuse.ch via testentry.rpz.urlhaus.abuse.ch.urlhause.zone

Note: If you have setup your Bind server from scratch, you should apply an ACL to prevent that your DNS server becomes an open DNS resolve (and hence vulnerable to DNS amplification attacks). You can do so by configure an ACL that only allows DNS queries from certain networks. To do so, we need to edit /etc/bind/named.conf.options again and add the following lines (e.g. at the end of the file):

acl "trusted-network" {
	192.168.1.0/24;
	::1;
	127.0.0.0/8;
};

In the example above, we are allowing 192.168.1.0/24 (and localhost) to query our DNS server. Please replace it with the network (prefix) you want to allow DNS queries from. In addition, we need to alter the options section of the same file (/etc/bind/named.conf.options) as follow:

options {
        [...]
	allow-query {
		trusted-network;
	};
};

We are done (don't forget to restart Bind by executing service bind9 restart).

Further reading

Blog Archive