search

ministryofjustice / modernisation-platform

A place for the core work of the Modernisation Platform • This repository is defined and managed in Terraform
https://user-guide.modernisation-platform.service.justice.gov.uk
MIT License
679 stars 289 forks source link

SPIKE: NCSC Active Cyber Defence - pDNS service #6121

Closed SimonPPledger closed 3 weeks ago

SimonPPledger commented 6 months ago

User Story

As a team we need to ensure that the environment is secure. As part of this we want to implement some NCSC checking. One of the items that has been suggested is to make use of pDNS. However we don't really know what this means, what impact it will have on the modernisation platform and applications that use it, what the advantages and disadvantages are.

This ticket is to investigate this and to draw up options.

Value / Purpose

This work will enable us to get alerts from NCSC

Useful Contacts

worth checking with the PandA security team - Steve Merrills and /or Todor Christov

Additional Information

Mark has already put together this document https://docs.google.com/document/d/1XijS36bkb0rN3FchQyZzQf0MBQQmFzKb8os2RSH3p_c/edit

David S has already suggested this https://mojdt.slack.com/archives/C013RM6MFFW/p1717663503175999 (it might simply be that we cannot do pDNS)

here is NCSC's documentation https://www.ncsc.gov.uk/information/pdns

Proposal / Unknowns

No response

Definition of Done

davidkelliott commented 6 months ago

Was this not done here? What was the outcome of this issue? https://github.com/ministryofjustice/modernisation-platform/issues/5149

github-actions[bot] commented 3 months ago

This issue is stale because it has been open 90 days with no activity.

SimonPPledger commented 2 months ago

This is to implement pDNS for modplatform owned DNS - including a process for checking

richgreen-moj commented 3 weeks ago

After a chat at planning we decided to:

  1. Talk to Tony to see whether we still can't implement this and understand the reason
  2. If so add an update to the ADR to explain the situation
dms1981 commented 3 weeks ago

I've reached out to the Operations Engineering team / @AntonyBishop to see if they have any outcomes we can refer to but this doesn't look like a good fit for us as a platform (although it does look like a worthwhile implementation for a different on-premise / enterprise infrastructure).

To implement this we would need to set up route53 resolver rules and endpoints to forward DNS requests through our infrastructure and out of our egress VPCs which feels like a replication of a solution meant for on-premise, rather than a cloud-native architecture pattern.

We would also need to consider the impact on implementing this not as a whole org (MOJ) but just a small subset of it. Is such a subscription / implementation possible?

If we have real concerns about customers inadvertently contacting malware domains then AWS offer a broadly similar solution - AWS Route53 Firewall - which can be implemented at an AWS Organization level and applied consistently across accounts & VPCs.

PDNS Route53 Resolver DNS Firewall
Price Free to implement[^1] $0.60 per million queries^2
Sources "The rules are created based on knowledge of malicious domains we obtain from commercial, internal and open sources." "The AWS Managed Domain Lists source their data from both internal AWS sources as well as RecordedFuture, and are continually updated."
Complexity High[^3] Low

[^1]: We'd still incur costs to send DNS traffic through our cloud infrastructure and out to the internet.

[^3]: Implementing PDNS would involve more moving parts and points of contact, as well as not being entirely manageable through infrastructure-as-code