Project WINTERROSE: Government prepares to build out ‘protective DNS’ service

The Australian Cyber Security Centre (ACSC) is preparing to assess the feasibility of a managed DNS service that can be used by government organisations and critical infrastructure providers to block known malicious domains.

The new protective DNS service will draw multiple threat feeds and be available to government agencies and potentially select industry partners.

At the moment there is no centrally managed “government-wide protective DNS capability,” states a document released by the ACSC. The centre has invited vendors to register their capacity to provide the service. The ACSC plans to shortlist respondents to be part of a limited tender process kicking off in late March.

The service could both help prevent infection from malware and stop infected devices from communicating with command-and-control servers. DNS requests to blocked domains would be redirected to a sinkhole service. Sinkholed requests would be logged and reported back to the ACSC

The service will draw on open source, commercial and ACSC-provided threat feeds. In February the centre indicated it was preparing to invest in a platform that would enable it to better monitor threat intelligence from local and global sources.

The Australian Signals Directorate, which oversees the ACSC, has identified the creation of a protective DNS capability as a strategic priority.

The ACSC is planning a three-month pilot that will involve 10 to 15 organisations. The pilot will help the centre assess “the feasibility, costs and benefits of upscaling these efforts to protect all levels of Australian government and key systems, including critical infrastructure.”

“The ACSC currently has limited visibility of the Government DNS environment and does not have a centralised, responsive method to identify and protect Government agencies from malware using DNS as part of the compromise vector,” the document states.

A second phase would see the service scaled “to all level of Australian government and key systems, including critical infrastructure” and would include the launch of an Internet-facing self-service portal allowing users to sign up to the service.

In a major speech in August last year, the government’s then cyber security minister, Angus Taylor, said he planned to push for increased collaboration between the government and businesses, including telcos, cloud providers, data centre operators and software providers, to block known malicious domains.

“Between us we see much of the activity and many of the threats,” Taylor said. “It is my intention to develop this model within the government, as an exemplar, and then roll it out to our key partners.”

Taylor said he would work towards the creation of a “threat picture”, based on data from Defence, law enforcement, government agencies and the private sector.

In November a spokesperson for the Department of Home Affairs told Computerworld that the government’s “work in developing options to limit Australians’ exposure to malicious actors is ongoing.”