Last February, DNSWatch mistakenly blocked popular domain names (you can see the details in our past blogpost). Since then we have been creating a plan to limit the possibility of this happening in the future.
Recap: What happened?
DNSWatch periodically updates the list of domains to block from external sources. This data is combined with other internal data to remove domains that are trusted. One of the ways we do this is via whitelisting specific domain names to ensure they do not get erroneously added to our list of bad domains.
One of our external feeds added some popular sites and their subdomains to the list of bad domains. Unfortunately, a design decision in the above process only whitelisted the domains and their most popular subdomains, for example it did not whitelist m.youtube.com. The newly blocked domains interrupted our customers access to some sites; the issue was noticed quickly be our team and remedied.
How can we avoid this in the future?
After fixing the immediate issue (as outlined in the previous blogpost), we began investigating how we could improve this process. One of the changes we made was to whitelist the subdomains of popular services that do not allow users to set custom subdomains, e.g. subdomains of youtube.com will be considered safe while subdomains of tumblr.com will not be, because a user can create <badsite>.tumblr.com and potentially host malicious content. Longer term, we’re investigating additional sources of data used in the determination of whether a domain is considered trustworthy. This is a difficult determination to make and is not a binary good or bad decision. Some of the sources being considered to feed into this decision include:
- DNS traffic from DNSWatch customers (the data that powers DNSWatch reports)
- Categorization data of each domain (e.g. is this an e-commerce site, a social network, etc.)
- Global site popularity (using the Alexa Top 1 Million domains data)
- Google Safe Browsing and related services
Additionally, we’re going to expand the list of webhosts and CDNs that DNSWatch whitelists to ensure that domains that are related to large portions of the Internet remain accessible, and are not blocked in an automated fashion (e.g. Amazon AWS, Akamai, etc.) For cases like this, the subdomain associated with a specific user account or piece of malicious content would be blocked, but occasionally external feeds will block the entire domain instead of a specific malicious subdomain.
We believe the above will help avoid false positives that affect a large portion of DNSWatch customers, but we are also investigating other potential ways to guard against this happening. If you have any ideas or would like to engage on this topic, please reach out (you can email us directly at firstname.lastname@example.org or contact us) – we would love to hear from you!
The post DNSWatch Blocking Popular Websites: A Recap and Future Plans appeared first on Strongarm Malware Protection.
*** This is a Security Bloggers Network syndicated blog from Speaking of Malware | The Strongarm Blog – Strongarm Malware Protection authored by Patrick Cloke. Read the original post at: https://strongarm.io/blog/dnswatch-blocking-popular-websites-recap-future-plans/