How does the DigitalStakeout PDNS Greywall Work?

How does the DigitalStakeout PDNS Greywall Work?

Greywalls reduce risk by limiting unwitting end-users from temporarily interacting with domains, host names, and URLs with zero histories, reputation, or generated by an algorithm. DigitalStakeout PDNS greywall uses observation data and reputation intelligence to determine immediate access to domains and host names. The greywall is designed and tuned to mitigate real-time cyber-attacks where end-users and endpoints attempt to connect to phishing sites, ransomware downloads, malware commands, and control when threat intelligence, indicators of compromise and heuristics cannot be used to detect a threat.

How Does the DigitalStakeout PDNS Greywall Work?

Here are a few things that DigitalStakeout PDNS greywall is designed to do.

    The grey wall knows what domains are trustworthy enough to be resolved. This is done through a learning period.
    The grey wall must also be aware of untrusted domains that are not allowed to be resolved for X time frame.
    The security administrator determines the temporary block time in the greywall.
    A temporary block can be as short or as long as set in a security policy.
    In most cases, the temporary block is established for a range of 1 hour to 90 days.
    This temporary block provides security tools, providers, and the information security community to discover, assess, and distribute protection or intelligence to mitigate a cyber threat.

Better than Zero Reputation and New Observed domain lists?

Advanced threat actors understand they need to manufacture and plan attacks very carefully to avoid detection. In some cases, they will "groom" a domain to make it appear trust worthy. With millions of domains being updated and cycled on a monthly basis, global block lists malicious domains slip through the cracks.

With DigitalStakeout PDNS, you can create multiple companies. Each company greywall is isolated. This means that new domain observation and greywall analytics are contained to that tenant. The domain may have been observed by hundreds of endpoints in the past 90 days. However, what matters is when the domain first interacted with your endpoints. Administrators get to set the rules on when this new domain can be resolved, if ever.

What's an Example of How the Greywall Would Block a Threat?
End-user Clicks on Phishing Link

A threat actor registers a domain and within 15 mins, launches a phishing campaign. An unwitting target end-user is tricked on clicking on a phishing link. The end-user attempts to visit

Endpoint Initiates A DNS Lookup

The end-user’s system attempts to access the domain For the endpoint to connect to the domain, it needs to get an A record with an IP address.
DigitalStakeout PDNS Order of Operations

Before the grey wall feature in Securd allows its DNS server to resolve the DNS query, it runs relevant checks to allow or deny it.

    For example, the greywall would determine if the DNS query to has been observed before.
    The greywall would decide if was has characteristics that don't allow it to be be implicitly trusted.

If the DNS query matches any block criteria, it will be denied. The user would be redirected to a block page with the reason why it was denied. All the blocked traffic would be logged for a security administrator to review.
Based on Policy, DigitalStakeout PDNS Releases the Greywalled Domain

Once the grey wall criteria for expires, DigitalStakeout PDNS greywall will allow a DNS query to continue. With DigitalStakeout PDNS, this would lead to additional measures to assure that is not an active threat. The greywall is just one of many layers of protection.

If the DNS query does not match any additional criteria in the security policy, DigitalStakeout PDNS global recursive DNS servers will continue to process and resolve the request. The accept is recorded in passive DNS logs available for review and analysis in the DigitalStakeout PDNS Portal.
    • Related Articles

    • Threat Hunting with DigitalStakeout PDNS

      A cloud-based DNS firewall, such as DigitalStakeout PDNS, can be an effective tool for threat hunting by security analysts. Here is a step-by-step guide on how a security analyst can use PDNS for threat hunting: Set up PDNS: The first step in using ...
    • PagerDuty DigitalStakeout PDNS Integration

      Trigger DigitalStakeout PDNS alerts to PagerDuty, so you can remediate cyber security incidents faster. 1. Perform the PagerDuty Setup Process first. PagerDuty Setup Process Login to PagerDuty, go to the Configuration menu and select Services. On the ...
    • DigitalStakeout PDNS URL Proxy

      DigitalStakeout PDNS URL Proxy analyzes web traffic for high risk URLs. It examines the domain and full URL of request to determine if it is a threat. The targeted proxy performs HTTPS security analysis of good sites that are exploited to deliver ...
    • Enabling DNSSEC in DigitalStakeout PDNS

      DNSSEC (Domain Name System Security Extensions) is a security protocol that provides authentication for DNS data. It is used to protect the internet's global Domain Name System (DNS) infrastructure from various types of attacks, such as spoofing and ...
    • Point Windows DNS to DigitalStakeout PDNS

      Getting started with Windows (Agent and Agentless) DigitalStakeout PDNS currently supports Windows 7, 8, 8.1, 10, Server 2008, Server 2012, Server 2016, and Server 2019 with .NET Framework 4.5+. Required Ports DigitalStakeout PDNS endpoints will ...