Malicious Domain Blocking and Reporting (MDBR) FAQ

MDBR is a web security solution that provides an additional layer of cybersecurity protection that is proven, effective, and easy to deploy.

It implements recursive DNS technology that prevents IT systems from connecting to harmful web domains, helping limit infections related to known malware, ransomware, phishing, and other cyber threats. This capability can block the vast majority of ransomware infections just by preventing the initial outreach to a ransomware delivery domain.

MDBR is available at no cost to U.S. State, Local, Tribal, and Territorial (SLTT) government members of the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC). This service was designed in partnership with the Cybersecurity and Infrastructure Security Agency (CISA) and Akamai.

MDBR+ is a new, cost-effective service that builds on the existing capabilities of MDBR. MDBR+ provides SLTT organizations with a cloud-based management portal through which security teams can access real-time reports, create custom configurations, and protect their off-network devices to augment their cybersecurity defenses.

Check out the feature comparison between MDBR and MDBR+ offerings on https://www.cisecurity.org/services/mdbrplus.

Akamai is our selected DNS vendor for the MDBR service. The cybersecurity company operates Enterprise Threat Protector (ETP), a carrier-grade recursive DNS service which is integrated into the MDBR service. ETP is built on the global Akamai Intelligent Edge Platform and is a quick-to-configure, easy-to-deploy Secure Web Gateway (SWG) that requires no hardware to be installed and maintained.

ETP has multiple layers of protection that leverage real-time Akamai Cloud Security Intelligence and multiple static and dynamic malware-detection engines to proactively identify and block targeted threats such as malware, ransomware, phishing, and DNS-based data exfiltration. Every requested domain is checked against Akamai’s real-time threat intelligence, and requests to identified malicious domains are automatically blocked.

This intelligence is built on data gathered 24/7 from the Akamai Intelligent Edge Platform, which manages up to 30% of global web traffic and delivers up to 2.2 trillion DNS queries daily. Akamai’s intelligence is enhanced with hundreds of external threat feeds, and the combined data set is continuously analyzed and curated using advanced behavioral analysis techniques, machine learning, and proprietary algorithms. As new threats are identified, they are immediately added to the Enterprise Threat Protector service, delivering real-time protection.

Visit www.akamai.com for more information.

MDBR is a cloud-based secure DNS solution specifically designed for U.S. SLTT organizations. It proactively blocks network traffic from an organization to known and suspected harmful web domains, helping protect IT systems against cybersecurity threats.

Once an organization points its domain name system (DNS) requests to Akamai’s DNS server IP addresses (primary and secondary), every DNS lookup will be compared against a list of known and suspected malicious domains. Attempts to access known malicious domains such as those associated with malware, phishing, and ransomware, among other threats, will be blocked and logged. Accepted and blocked DNS request logs will be stored for a period of 30 days.

CIS will provide weekly reporting to each participating entity related to both accepted and blocked requests and assist in remediation, if needed.

The MDBR service is offered at no cost to SLTT government members of the MS-ISAC and the EI-ISAC.

No, the two services are not co-dependent and can be run entirely independent of each other. However, when used in conjunction with Albert network monitoring sensors, the two services are very effective in preventing ransomware and other malicious attacks from being successful. The MDBR service is easy to implement and requires virtually no maintenance, as CIS and Akamai fully maintain the systems required to provide the service.

MDBR is similar to other services in that they all block malicious outbound DNS requests. The main differences come down to threat intelligence, logging of DNS look ups, reporting, and the ability to log into a customer portal.

While Quad9 offers no logging or reporting capability, most other commercial offerings include these capabilities with the paid version of their service. In most cases, vendors also have a no-cost option that does not offer logging or reporting capabilities. In the case of commercial offerings from Cisco, Akamai, and Cloudflare, customers also have the ability to log into a portal to generate reports and administer the service.

With MDBR, CIS provides weekly reporting related to the blocks that have occurred. Although the membership will receive reports from CIS, they will not have the ability to directly log into the Akamai portal or download logs directly from Akamai. These additional features will be available as a for-fee option through the CIS CyberMarket from Akamai.

The majority of the threat data in Akamai’s Cloud Security Intelligence comes from data collected on the Akamai platform. Akamai delivers and protects around a third of global web traffic, and it resolves two-thirds of the world’s DNS queries daily. This gives Akamai an unprecedented view of the threat landscape. They augment their data with a few third-party threat intelligence feeds and public information, such as WHOIS and domain registration details. All of this data is analyzed using proprietary algorithms that can quickly identify malicious domains contained in this large volume of data. Additionally, the Akamai threat research team further analyzes the data sets, as there are certain types of threats that an automated machine learning process will not easily detect.

The MS-ISAC Cyber Threat Intelligence (CTI) team also feeds MDBR with near real-time threat information. The CTI team in coordination with the MS-ISAC Security Operations Center (SOC) and Cyber Incident Response Team (CIRT) is able to see actual attack data against SLTTs and quickly incorporate those Indicators of Compromise (IoC) with the MDBR platform to protect all SLTTs that take advantage of this service.

Integrating the MDBR service into your environment is very straightforward and should only take a few minutes to complete. The only requirement to integrate the service is to configure your organization’s local forwarders to send DNS inquiries to Akamai’s primary and secondary recursive DNS servers.

For any post-approval changes to your MDBR account, please submit your changes to the following email address:

• For technical changes, IP address range, etc. – [email protected]
• For address or personnel changes (phone numbers, emails, etc.) – [email protected]

Please reach out to [email protected] with any additional questions about the service.

Please reach out to [email protected] for technical questions.

If you are an SLTT government entity and also a member of either the MS-ISAC or the EI-ISAC, you can sign up here.

Click here for more information on how to join the MS-ISAC or the EI-ISAC.

The link to complete your registration process will expire in 24 hours. If your onboarding form is not completed before this time period expires, you will have to restart the registration process.

The link for your organization’s primary contact to review and approve your registration will expire in 72 hours. If your onboarding form and the MDBR Terms and Conditions are not approved before this time period expires, you will have to restart the registration process.

During the registration process, we ask if your organization provides DNS resolution services to other organizations in order to help us better understand how widely the MDBR service is being utilized. If your organization provides DNS resolution to other organizations, those other organizations would also receive the malicious domain blocking benefits of MDBR without having to sign up for the service directly. Please note that if you indicate you provide DNS resolution services to other organizations, we will reach out to you directly to request a list of those organizations in order to accurately update our records so that we can track them as sub-entities.

The Terms and Conditions for our MDBR service are available at https://www.cisecurity.org/terms-and-conditions-table-of-contents/mdbr-terms/.

This error means that the IP or CIDR information provided is likely not in the proper format. Please confirm that the IP or CIDR block is properly formatted and resubmit the form.

CIS will provide weekly reporting to each participating entity that includes information related to both blocked and accepted requests and assist in remediation, if needed.

In some cases, organizations that have network perimeter security devices, such as firewalls and web proxies, have been found to make outbound DNS requests for malicious domains that do not originate from compromised systems. This occurs due to these devices proactively making DNS requests related to malicious domains on the device’s block list. This activity has the ability to create false positives within the MDBR service.

If your perimeter devices have the capability to proactively update malicious block lists, it is recommended that DNS requests originating from those particular devices be directed to another DNS provider and not be sent to Akamai.

Please reach out to [email protected] for more information or if you have any questions.

DoH is not currently supported by Akamai, but it is something they plan to support in the future. We will keep the membership updated with new information on DoH support as we receive it.

The timestamp for the DNS request, the location it comes from (including the NAT IP address of the internet connection), the category and classification of the event, and the domain requested is the only data logged. MDBR does not provide a mechanism for determining which specific machine on a network generated a malicious request. As such, MDBR will not identify specific users as a standalone solution.

Are only malicious requests or all requests logged?

• The total number of DNS requests is tracked; however, the details described above are logged only for malicious requests.

Who has access to the logging information?

• Members of the CIS staff with Akamai portal access and Akamai technical staff have access to the reporting features.

How long are logs kept?

• Logs are retained in the Akamai platform for 30 days. CIS has access to download data from Akamai.

Where can I find more information on logged data?

• Detailed information regarding data privacy at Akamai can be found at https://www.akamai.com/us/en/about/compliance/data-protection-at-akamai.jsp.

Real-time log forwarding is not currently available through the MDBR service. At this time, the CIS SOC sends members a weekly report of the malicious blocks that occurred. The report will provide a high-level overview and include information on types of malicious activity associated with the blocked domains, confidence level of the blocks, severity, etc.

Access to the Akamai portal, Akamai Security Connector (virtual machine), and ETP software agent can all be purchased through the CIS CyberMarket. These upgraded package offerings from Akamai would allow your organization to identify the true source address of the system making a malicious domain request versus just your organization’s public IP address, among other more advanced features. CIS has negotiated discounted pricing for Akamai’s upgraded package offerings for all MS- and EI-ISAC members through CIS CyberMarket. For more information, please visit their CIS CyberMarket page here.

For instructions on how to set up your organization’s local forwarders as well as a link for Akamai’s Enterprise Threat Protector Help website for other troubleshooting, you can view the MDBR set up instructions here.

You can use the following URLs to test that your organization’s local forwarders have been configured correctly and Akamai Enterprise Threat Protector is successfully blocking malicious domain requests.

• CnC: akamaietpcnctest.com
• Phishing: akamaietpphishingtest.com
• Malware: akamaietpmalwaretest.com

If your local forwarders are configured properly, you will see the following pre-configured block page:

If your local forwarders are not configured correctly and DNS requests are not being sent to Akamai, you will see the following page:

No, the block page is pre-configured and is not able to be customized by organizations using MDBR.

Please report any false positives you identify to [email protected]. Our SOC will either handle the issue directly or escalate the issue to Akamai for assistance, if needed.

An internal DNS server is not required. You may configure the DNS settings on each individual machine (DHCP would be the easiest way) or change the DNS settings on your router. If your environment is very small, you may be doing DHCP on your router and could alter both settings on that device. CIS would need to know your organization’s public IP or public CIDR netblock.

Remote users can still utilize the MDBR service. However, since they are not at a “known” location, their requests would not report to a specific member organization’s account. When those users make a malicious domain request, the “Unidentified Location” policy would be applied. The user will be protected from malicious content, but the blocked domain lookups will not be correlated to their member organization’s account for reporting purposes.

For this situation, your organization would need to set up a dynamic DNS service and then provide that information to [email protected] to set up your account with Akamai.

Your organization would have to discontinue its existing secure DNS service to utilize the MDBR service, as your DNS requests would be directed to Akamai’s primary and secondary IPs instead of the other secure DNS service.

At this time, it is not possible to implement MDBR in monitoring-only mode.