Malicious Domain Blocking and Reporting (MDBR) FAQ

 

Overview

What is the Malicious Domain Blocking and Reporting (MDBR) Service?

MDBR is a web security solution that provides an additional layer of cybersecurity protection that is proven, effective, and easy to deploy.

It implements recursive DNS technology that prevents IT systems from connecting to harmful web domains, helping limit infections related to known malware, ransomware, phishing, and other cyber threats. This capability can block the vast majority of ransomware infections just by preventing the initial outreach to a ransomware delivery domain.

MDBR is available at no cost to U.S. State, Local, Tribal, and Territorial (SLTT) government members of the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC). This service was designed in partnership with the Cybersecurity and Infrastructure Security Agency (CISA) and Akamai.

Who is Akamai?

Akamai is our selected DNS vendor for the MDBR service. The cybersecurity company operates Enterprise Threat Protector (ETP), a carrier-grade recursive DNS service which is integrated into the MDBR service. ETP is built on the global Akamai Intelligent Edge Platform and is a quick-to-configure, easy-to-deploy Secure Web Gateway (SWG) that requires no hardware to be installed and maintained.

ETP has multiple layers of protection that leverage real-time Akamai Cloud Security Intelligence and multiple static and dynamic malware-detection engines to proactively identify and block targeted threats such as malware, ransomware, phishing, and DNS-based data exfiltration. Every requested domain is checked against Akamai’s real-time threat intelligence, and requests to identified malicious domains are automatically blocked.

This intelligence is built on data gathered 24/7 from the Akamai Intelligent Edge Platform, which manages up to 30% of global web traffic and delivers up to 2.2 trillion DNS queries daily. Akamai’s intelligence is enhanced with hundreds of external threat feeds, and the combined data set is continuously analyzed and curated using advanced behavioral analysis techniques, machine learning, and proprietary algorithms. As new threats are identified, they are immediately added to the Enterprise Threat Protector service, delivering real-time protection.

Akamai Enterprise Threat Protector

Visit www.akamai.com for more information.

How does MDBR work?

MDBR is a cloud-based secure DNS solution specifically designed for U.S. SLTT organizations. It proactively blocks network traffic from an organization to known and suspected harmful web domains, helping protect IT systems against cybersecurity threats.

Once an organization points its domain name system (DNS) requests to Akamai’s DNS server IP addresses (primary and secondary), every DNS lookup will be compared against a list of known and suspected malicious domains. Attempts to access known malicious domains such as those associated with malware, phishing, and ransomware, among other threats, will be blocked and logged. Accepted and blocked DNS request logs will be stored for a period of 30 days.

CIS will provide weekly reporting to each participating entity related to both accepted and blocked requests and assist in remediation, if needed.

How much does the MDBR service cost?

The MDBR service is offered at no cost to SLTT government members of the MS-ISAC and the EI-ISAC.

Does MDBR replace Albert Network Monitoring and Management?

No, the two services are not co-dependent and can be run entirely independent of each other. However, when used in conjunction with Albert network monitoring sensors, the two services are very effective in preventing ransomware and other malicious attacks from being successful. The MDBR service is easy to implement and requires virtually no maintenance, as CIS and Akamai fully maintain the systems required to provide the service.

How does MDBR differ from other DNS filtering services, such as Cisco Umbrella or Quad9?

MDBR is similar to other services in that they all block malicious outbound DNS requests. The main differences come down to threat intelligence, logging of DNS look ups, reporting, and the ability to log into a customer portal.

While Quad9 offers no logging or reporting capability, most other commercial offerings include these capabilities with the paid version of their service. In most cases, vendors also have a no-cost option that does not offer logging or reporting capabilities. In the case of commercial offerings from Cisco, Akamai, and Cloudflare, customers also have the ability to log into a portal to generate reports and administer the service.

With MDBR, CIS provides weekly reporting related to the blocks that have occurred. Although the membership will receive reports from CIS, they will not have the ability to directly log into the Akamai portal or download logs directly from Akamai. These additional features will be available as a for-fee option through the CIS CyberMarket from Akamai.

What threat intelligence feeds are used by Akamai, and how do they compare to other service providers?

The majority of the threat data in Akamai’s Cloud Security Intelligence comes from data collected on the Akamai platform. Akamai delivers and protects around a third of global web traffic, and it resolves two-thirds of the world’s DNS queries daily. This gives Akamai an unprecedented view of the threat landscape. They augment their data with a few third-party threat intelligence feeds and public information, such as WHOIS and domain registration details. All of this data is analyzed using proprietary algorithms that can quickly identify malicious domains contained in this large volume of data. Additionally, the Akamai threat research team further analyzes the data sets, as there are certain types of threats that an automated machine learning process will not easily detect.

The MS-ISAC Cyber Threat Intelligence (CTI) team also feeds MDBR with near real-time threat information. The CTI team in coordination with the MS-ISAC Security Operations Center (SOC) and Cyber Incident Response Team (CIRT) is able to see actual attack data against SLTTs and quickly incorporate those Indicators of Compromise (IoC) with the MDBR platform to protect all SLTTs that take advantage of this service.

How challenging will it be to add MDBR to our environment?

Integrating the MDBR service into your environment is very straightforward and should only take a few minutes to complete. The only requirement to integrate the service is to configure your organization’s local forwarders to send DNS inquiries to Akamai’s primary and secondary recursive DNS servers.

Who do I contact for changes to my MDBR account?

For any post-approval changes to your MDBR account, please submit your changes to the following email address:

Who do I contact if I have further questions?

Please reach out to [email protected] with any additional questions about the service.

Please reach out to [email protected] for technical questions.

Registration

How do I sign up for the MDBR service?

If you are an SLTT government entity and also a member of either the MS-ISAC or the EI-ISAC, you can sign up here.

Click here for more information on how to join the MS-ISAC or the EI-ISAC.

Once I receive the registration email, how many hours is the link in the email valid for before it expires?

The link to complete your registration process will expire in 24 hours. If your onboarding form is not completed before this time period expires, you will have to restart the registration process.

Once our organization’s primary contact receives the enrollment approval email, how many hours is the link in the email valid for before it expires?

The link for your organization’s primary contact to review and approve your registration will expire in 72 hours. If your onboarding form and the MDBR Terms and Conditions are not approved before this time period expires, you will have to restart the registration process.

During the registration process, why is there a question asking if my organization provides DNS resolution services to other organizations?

During the registration process, we ask if your organization provides DNS resolution services to other organizations in order to help us better understand how widely the MDBR service is being utilized. If your organization provides DNS resolution to other organizations, those other organizations would also receive the malicious domain blocking benefits of MDBR without having to sign up for the service directly. Please note that if you indicate you provide DNS resolution services to other organizations, we will reach out to you directly to request a list of those organizations in order to accurately update our records so that we can track them as sub-entities.

Are the MDBR Terms and Conditions available to be reviewed by our legal department prior to accepting them?

The Terms and Conditions for our MDBR service are available at https://www.cisecurity.org/terms-and-conditions-table-of-contents/mdbr-terms/.

While completing the MDBR onboarding form, I received an error stating “Parameter IPs of value ‘x.x.x.x’ violated a constraint. Invalid IP or CIDR notation.” What does this mean?

This error means that the IP or CIDR information provided is likely not in the proper format. Please confirm that the IP or CIDR block is properly formatted and resubmit the form.

After I sign up, how do I access information related to my organization’s DNS activity?

CIS will provide weekly reporting to each participating entity that includes information related to both blocked and accepted requests and assist in remediation, if needed.

Is there anything I should be aware of prior to signing up for the MDBR service?

In some cases, organizations that have network perimeter security devices, such as firewalls and web proxies, have been found to make outbound DNS requests for malicious domains that do not originate from compromised systems. This occurs due to these devices proactively making DNS requests related to malicious domains on the device’s block list. This activity has the ability to create false positives within the MDBR service.

If your perimeter devices have the capability to proactively update malicious block lists, it is recommended that DNS requests originating from those particular devices be directed to another DNS provider and not be sent to Akamai.

Please reach out to [email protected] for more information or if you have any questions.

Technical Support

Does MDBR support DNS over HTTPS (DoH)?

DoH is not currently supported by Akamai, but it is something they plan to support in the future. We will keep the membership updated with new information on DoH support as we receive it.

Can you provide more details on the information that is logged by MDBR?

The timestamp for the DNS request, the location it comes from (including the NAT IP address of the internet connection), the category and classification of the event, and the domain requested is the only data logged. MDBR does not provide a mechanism for determining which specific machine on a network generated a malicious request. As such, MDBR will not identify specific users as a standalone solution.

Are only malicious requests or all requests logged?

  • The total number of DNS requests is tracked; however, the details described above are logged only for malicious requests.

Who has access to the logging information?

  • Members of the CIS staff with Akamai portal access and Akamai technical staff have access to the reporting features.

How long are logs kept?

  • Logs are retained in the Akamai platform for 30 days. CIS has access to download data from Akamai.

Where can I find more information on logged data?

Does MDBR support real-time log integration or log forwarding to an SLTT's SIEM solution?

Real-time log forwarding is not currently available through the MDBR service. At this time, the CIS SOC sends members a weekly report of the malicious blocks that occurred. The report will provide a high-level overview and include information on types of malicious activity associated with the blocked domains, confidence level of the blocks, severity, etc.

How do I get direct access to the Akamai portal and information related to the internal host that made a DNS request?

Access to the Akamai portal, Akamai Security Connector (virtual machine), and ETP software agent can all be purchased through the CIS CyberMarket. These upgraded package offerings from Akamai would allow your organization to identify the true source address of the system making a malicious domain request versus just your organization’s public IP address, among other more advanced features. CIS has negotiated discounted pricing for Akamai’s upgraded package offerings for all MS- and EI-ISAC members through CIS CyberMarket. For more information, please visit their CIS CyberMarket page here.

How do I configure my organization’s local forwarders to send DNS inquiries to Akamai?

For instructions on how to set up your organization’s local forwarders as well as a link for Akamai’s Enterprise Threat Protector Help website for other troubleshooting, you can view the MDBR set up instructions here.

Is there a way to test that our local forwarders were successfully changed to send DNS inquiries to Akamai?

You can use the following URLs to test that your organization’s local forwarders have been configured correctly and Akamai Enterprise Threat Protector is successfully blocking malicious domain requests.

If your local forwarders are configured properly, you will see the following pre-configured block page:

Website Access Prohibited

If your local forwarders are not configured correctly and DNS requests are not being sent to Akamai, you will see the following page:

Zero Trust

Is the page that appears when malicious domain requests are blocked customizable?

No, the block page is pre-configured and is not able to be customized by organizations using MDBR.

What is the process for false positives?

Please report any false positives you identify to [email protected]. Our SOC will either handle the issue directly or escalate the issue to Akamai for assistance, if needed.

My organization does not have an internal DNS server. Is an internal DNS server required to sign up for MDBR, or can we manually point each workstation towards the Akamai DNS servers directly?

An internal DNS server is not required. You may configure the DNS settings on each individual machine (DHCP would be the easiest way) or change the DNS settings on your router. If your environment is very small, you may be doing DHCP on your router and could alter both settings on that device. CIS would need to know your organization’s public IP or public CIDR netblock.

Many of our employees work remotely. Assuming no VPN is present, would this disqualify them from utilizing the MDBR service, as they would not have an internal DNS server?

Remote users can still utilize the MDBR service. However, since they are not at a “known” location, their requests would not report to a specific member organization’s account. When those users make a malicious domain request, the “Unidentified Location” policy would be applied. The user will be protected from malicious content, but the blocked domain lookups will not be correlated to their member organization’s account for reporting purposes.

My organization does not have a static IP address, which is required for accurate reporting. Would my organization be disqualified from the MDBR service, or would we have to update our account every time our IP address changes?

For this situation, your organization would need to set up a dynamic DNS service and then provide that information to [email protected] to set up your account with Akamai.

My organization has an existing security gateway (DNS filter) solution in place. Is it possible to have both MDBR and another secure DNS solution in place at the same time?

Your organization would have to discontinue its existing secure DNS service to utilize the MDBR service, as your DNS requests would be directed to Akamai’s primary and secondary IPs instead of the other secure DNS service.

Is it possible to implement the MDBR service in monitoring-only mode to determine if there are any issues before allowing it the ability to block domain requests?

At this time, it is not possible to implement MDBR in monitoring-only mode.