Example 3: Potential compromise of IoT devices - BlueCat DNS Edge

DNS Edge Deployment Guide

prodname
BlueCat DNS Edge

In this example, we will transparently monitor access from a unique class of IoT devices. All requests from these devices will be monitored and logged to allow you to build an access profile for this class of devices, which can then be used to restrict access to that "normal" activity.

Note: This example requires that you know the IP address or CIDR range of one or more IoT devices, ideally all of one specific type.
Create a policy to monitor access from IoT devices
  1. In the top navigation bar, click and select Policies.
  2. Click to create a new policy.
  3. For Name, enter Monitor IoT Devices, and for Description, enter a brief description for the policy.
  4. For Type, select Monitor, and set the slider to Active.
  5. In the Sites field, start typing the name of a site, and then select the site you want to apply the policy to.
  6. Expand the Source IP section, and in the Source IPs field, type the IP address or CIDR range of an IoT device, and press Enter. You can enter multiple IP addresses or CIDR ranges.
  7. Click Save & Apply.

View blocked DNS activity

Note: For this test, it's best to wait until there is a significant amount of traffic to the DNS Edge service point.
  1. In DNS Edge, select the DNS Activity view .
  2. In the Command bar, type /policyname Monitor IoT Devices, and press Enter. In the DNS Activity tab, you should see a list of queries from your IoT devices.
  3. Write down all the unique domain names so that you can use them in the next step to create a Domain List representing the normal activity for IoT devices.
Create a domain list representing normal activity for IoT devices
  1. In the top navigation bar, click and select Domain Lists.
  2. Click to create a new domain list.
  3. For Name, enter IoT Allowed, and for Description, enter a brief description for the list. For Type, keep the default User Defined.
  4. In the Domains field, type the list of domains you recorded above. You can press Enter after typing each domain, or you can type multiple domains separated by commas and press Enter.
  5. Click Save and Close.
Create a domain list representing all traffic
  1. In the top navigation bar, click and select Domain Lists.
  2. Click to create a new domain list.
  3. For Name, enter All Traffic, and for Description, enter a brief description for the list. For Type, keep the default User Defined.
  4. In the Domains field, type * and press Enter to represent all traffic.
  5. Click Save and Close.

Update the policy to restrict access from IoT devices

Follow the below to update the previously created Monitoring policy and turn it into a policy that will restrict access from the IoT devices to only the domain names determined to represent a normal activity.

In this example, the queries issued by the IoT devices to domain names listed in the IoT Allowed Domain List will be allowed and any other query will be blocked.

  1. In the top navigation bar, click and select Policies.
  2. Find the Monitor IoT Devicespolicy and click to edit the policy.
  3. Change the name of the policy to Restrict IoT Devices,
  4. Change the type of the policy to Block.
  5. Expand the Domain List section, and in the Block List field, start typing All Traffic, and then select that domain list.
  6. In the Exception List field, start typing IoT Allowed, and then select that domain list.
  7. Expand the Source IPs section, and in the Source IPs field, type all of the IP addresses or CIDR ranges for all of the IoT devices that are the same type as the device configured to monitor the normal activity, and press Enter.
  8. Click Save & Apply.
Review activity for IoT devices
  1. In DNS Edge, select the DNS Activity view .
  2. In the Command bar, type /policyname Restrict IoT Devices, and press Enter.
  3. If any blocked queries represent normal access, add the domain names to your IoT Allowed Domain List. Otherwise, you have discovered abnormal IoT activity.
  4. For further inspection, click the Threat Activity tab to see the abnormal traffic generated by the IoT Devices that were identified as a DNS threat.