DNS Security with Sophos

Domain Name System is wide open for attackers. Attacks using DNS often succeed because security teams lack basic visibility into how threats use DNS to maintain control of infected devices or steal data. Current approaches drown you in uncoordinated data from independent tools or require changes to DNS infrastructure. I hope you heard about DNS sinkhole, DNS tunneling, C&C, and DGA, etc.  Are you ready to protect your internal DNS server from all of those? If yes, how to configure Sophos XG firewall to protect DNS server?

DNS Sinkhole: A DNS sinkhole, also known as a sinkhole server, Internet sinkhole, or Blackhole DNS is a DNS server that gives out false information, to prevent the use of a domain name. (Wikipedia).

DNS tunneling: DNS Tunneling is a way of cyber-attack that encodes the data of other programs or protocols in DNS queries and responses (massages).

Domain generation algorithms (DGA) are algorithms seen in various families of malware that are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control servers.  (Wikipedia).

Command and Control (C&C): A command-and-control [C&C] server is a computer controlled by an attacker or cybercriminal which is used to send commands to systems compromised by malware and receive stolen data from a target network. 

How to Protect DNS server with Sophos XG Firewall?

I had configured the same multiple times and users are happy because he/she is secure.

Let's go in deeper and implement the DNS security with Sophos XG 17.5.4 MR4-1.

ATP Configuration:

"You can identify the clients/hosts in your network that are malware infected or part of a botnet using the Hosts - ATP report in Advanced Threat Protection (ATP) under Reports.

The ATP feature in Sophos XG Firewall analyses all network traffic (DNS requests, HTTP requests, or data packets in general), coming and going, for possible threats. The database used to identify threats is updated constantly by a CnC/Botnet data feed from Sophos Labs through signature updates. Based on this data, ATP reports are generated that can help administrators to quickly identify infected hosts and their communication with command-and-control (CnC) servers."

Fig 1.1- Sophos Advance Threat Defence

IPS Configuration:

In Existing IPS policy (if already configured) add a new rule and add some IPS categories as "Malware-Backdoor", "Malware-cnc", "Malware-other", "SCAN" and "Protocol-DNS" etc.

Fig 1.2

View All Logs and details in ATP and IPS logs:

Fig 1.3

But I asked the same question on twitter  from the Sophos directly and here is reply:

An Article By Deepak Kumar 
Linkedin: https://www.linkedin.com/in/engdeepak/
Twitter: https://twitter.com/Deepakkhw