Penn Information Security: SafeDNS


	Sunday, May 19, 2013

	New Resources
	Combating Malware
	SafeDNS
	Phishing Archive
	Cloud Computing and Data Outsourcing
	Best Practices for Applications with Confidential University Data

	Security "Greatest Hits"
	Managing Passwords
	E-mail Harassment & Forgery
	Hoaxes, frauds & scams
	Spam
	Phishing
	Wireless Networking
	Encryption & digital signatures

	Best Practices
	Secure desktop computing
	Secure servers
	Secure data deletion
	Securing printers
	Tips for safe computing
	Computing policies

	More in-depth information for
	Local support providers
	System administrators

	Security initiatives
	Critical host compliance
	Authentication & authorization
	Penn Security & Privacy Assessment (SPIA)
	Security Liaisons (Restricted Access)
	Secure Share
	Secure Space
	Vulnerability Scanner

	Related links
	Electronic privacy
	PennKey
	Viruses
	Worms, trojans, backdoors

SafeDNS Pilot

The Problem

It has become increasingly difficult to protect client workstations from becoming compromised by malicious software. Even if workstations are patched and running up-to-date anti-virus software, some risks remain because of the:

Increasing prevalence of 0-day threats (attacks that exploit vulnerabilities for which there is no patch);
Incomplete effectiveness of anti-virus software in detecting polymorphic malware; and
Prevalence of malicious third-party ads hosted on otherwise legitimate web sites.

The Pilot

You are invited to participate in this pilot service intended to protect client workstations at Penn from becoming infected by computers known to host malware. On a daily basis, this service updates a list of about 50,000 hosts that are known to be hosting malicious software.

How it Works

If a workstation is configured to use this as the DNS service, any attempt to reach a suspected malicious host gets redirected to the SafeDNS server itself. Web requests from the workstation will go here: http://safedns[12].security.isc.upenn.edu/ instead of to a malicious host.

How do I join?

If you're a Local Support Provider, feel free to try out the service yourself by setting your DNS server addresses as follows:
Primary: 128.91.19.240
Secondary: 128.91.19.241
Review the Terms of Service, below.
When you're ready to set up clients to use the service, contact ProDesk (prodesk@isc.upenn.edu), letting them know:
- How many clients you'd like to add, so we can confirm that the service is ready to support that number; and
- Whether you'd like to be added to a distribution list for outage notifications and notices about service changes or enhancements.
Once we confirm that the service is ready for you to join, notify your users according to the Terms of Service below.
Reconfigure clients to use the DNS server addresses above, optionally adding a Penn authoritatvie DNS server (128.91.2.13) as a Tertiary for increased resilience.
Give us feedback about the rate of compromises before and after joining the pilot (as described in the Terms of Service, below). Contact ProDesk if you see any false positives.

Terms of Service

While we have made reasonable efforts to provide a robust and reliable pilot service, it is provided on a best-effort basis, with no guarantees about uptime, protection from false positives, or true negatives.
The pilot service should not be used by servers, only client computers. For example, a system running a mail or web server should not use the pilot service.
Unlike Penn's production DNS servers, the SafeDNS pilot servers do NOT receive updates from Assignments immediately. Thus, if you need to change a server in Assignments, make sure you lower the TTL in advance of the change to make sure any old entry is expired more quickly from the SafeDNS cache.
Participation in the pilot is free. In the event it becomes a production service, it may be necessary to pay to use the service.
As a condition of participation in the pilot, you agree to provide us with (1) reports of any subscribing clients that become compromised; and (2) a comparison to the rate of compromise prior to subscribing to the service, e.g. x number of computers compromised per week or month.
Depending on the feedback received during and after the pilot, it may be either discontinued or turned into a production service.
We recommend that you take reasonable steps to notify users prior to deploying the service in your area. This should help minimize any unwarranted privacy or security concerns that might otherwise arise when a user encounters the redirect page. Notification might include incorporating the Privacy Statement below into a notice on the web page where DHCP users register, having LSPs "spread the word" among their users, or taking other steps that are feasible for the deployment in your area.

What We Log

Only the information necessary to run or support the service is logged. For example, even though all DNS requests go to the server, the requests themselves (e.g. for www.google.com) are not logged.

Privacy Statement

The SafeDNS service reduces the likelihood that a computer will be compromised through web browsing. The service does this by tracking web sites known to be the source of malicious content. If the computer attempts to reach such a site in the course of web browsing or other activity, the service will redirect the computer to a safe location. In the course of providing this service, certain information is tracked for the purpose of measuring effectiveness. The information tracked includes the IP address of the subscribed computer and the time of the activity. The initial site (from which the computer was directed to the malicious site) is also recorded, but without information that would link the subscribed computer to the initial site.

Last updated: Friday, March 22, 2013



Information Systems and Computing University of Pennsylvania Comments & Questions