The Domain Name System (DNS) protocol is like a phonebook for the internet, helping to translate between domain names (human language) and IP addresses (machine language). Unfortunately, DNS has also become a favored attack vector for cybercriminals.
Monitoring your DNS traffic can expose post-compromise activity in real time, helping to avoid breaches and maintaining the credibility of your servers. Improving your security with traffic monitoring increases safety for users, as well as the integrity of your websites and services—but not all DNS traffic monitoring approaches are created equal.
Malware users will attempt to exploit any service or protocol, and DNS offers a hidden avenue for data extraction and malware updates. Disposable or compromised domain names are used in spam campaigns, botnet management, host phishing, and malware downloads. Malicious queries are poisoned to disrupt name resolution processes and exploit name servers. Inventive responses are often crafted to infect resolver caches and magnify denial of service (DoS) attacks. DNS tunneling attacks can provide a covert command and control (C2) channel—and a data exfiltration path.
What Are You Looking For?
If you know what to watch out for, DNS queries can clue you in to suspicious activity. Query composition and traffic patterns can indicate DoS attacks, name server or resolver exploitation, incorrectly operating devices, infected hosts, malicious data delivery, response poisoning, or botnet control within your network.
Distributed Denial of Service (DDoS) Attack
Queries from addresses that you have not authorized for use and are not egress filtering are possible indications of DDoS attacks, especially when they coincide with high DNS query volume or queries that use transmission control protocol (TCP) instead of user datagram protocol (UDP). Queries from spoofed addresses may also indicate DDoS.
Name Server or Resolver Attack
Malformed DNS queries can be caused by several actions, including exploitations of vulnerabilities in the name server or resolver identified by the destination IP address. These queries could also be indications of a device on the network that isn't operating correctly or an unsuccessful attempt to remove malware.
Queries sent to unauthorized resolvers are strong indicators of an infected host in your network. You might also see queries requesting resolution of known malicious domain names or names with common characteristics of domain generation algorithms (DGAs) that are already associated with malware activity.
Malicious Data Delivery
Unusually large response messages are often seen in amplification attacks that target a small number or low level of resources. Abnormal responses in the Answer or Additional sections might be caused by attempts at cache poisoning or covert channels. Monitoring the length and composition characteristics of your DNS responses can keep you apprised of malicious intent.
DNS Response Modification
If you're seeing DNS responses for your own domains that are resolving to unfamiliar IP addresses or responses from name servers that you didn't authorize to host, external actors might have modified the responses. Those responses could also indicate a hijacking of your registration account. Another indication of response modification or hijacking would be positive responses that should be resolving to NXDOMAIN.
Responses from IP addresses assigned to a broadband access network or other suspicious IP addresses can be a sign of botnet control within your network. Botnets can also cause DNS traffic to appear on nonstandard ports. Botnets might also cause a high number of NXDOMAIN responses or responses that resolve domains with short time to live (TTL).
DNS Poses Challenges for Traditional Monitoring
Traditional detection and prevention tools are ill-equipped to defend against this type of covert post-compromise activity—that's one reason why DNS is such a popular attack method.
DNS logging has numerous pitfalls and complications. For one, it doesn't scale very well. DNS logs are voluminous. A single DNS query can generate more than 10 events on a Windows host. The compute and storage requirements with that are simply untenable.
Even if you have some DNS logging enabled, the data set isn't always reliable. If your DNS is hosted by a third party, you can enable logging but finding the source of the query is extremely difficult. The data DNS servers log and the format of those logs can also vary widely from server to server, making them hard to correlate and analyze.
The firewall is often the primary network security device for monitoring and permitting or blocking traffic and data; however, DNS traffic is generally allowed to pass through perimeter defenses––such as firewalls––that typically block inbound and outbound malicious traffic. Of course, it's possible to define a rule that denies any DNS queries from IP addresses outside your allocated numbers space, but advanced DNS tunneling and other methods like DNS *water torture*––an attack method that sends waves of non-existent subdomains to keep the DNS resolver continually working outside of the cache to exhaust its resources––can easily evade these defenses.
Intrusion Detection Systems (IDS)
Traditional IDS relies on signatures to detect malicious activity, meaning that these tools cannot dynamically detect unusual behavior against normal patterns. This makes DNS-based C2 an attractive exfiltration tactic for pivoting attackers that wish to evade IDS detection. Attackers leverage DGA and data fragmentation to avoid detection from rigid IDS signatures that include explicit IPs, domain names, or payload size limits.
Using Network Traffic to Detect Malicious DNS Activity
A network detection and response (NDR) solution is uniquely suited to detect malicious DNS activity. Unlike signature-based detections––which must be configured to identify threats––NDR uses machine learning to analyze network traffic to establish a baseline to help understand what normal vs. suspicious DNS behavior looks like in any given environment. It then detects anomalous behavior that could signify an attack. Baselines are established for things like the number of requests made, geographic locations, domain history, and entropy of the query structures. Deviations can then be used to quickly identify post-compromise activity.
Take DNS tunneling for example. While DNS traffic is notoriously noisy, with behavioral baselines and machine learning analysis, it's possible to separate noisy DNS traffic from noisy DNS tunnel traffic that's compromising your environment. The noise from a compromised device might include continuous queries to beacon a C&C server, or a sudden increase in volume of queries typically associated with data exfiltration.
The machine learning and behavioral detections used by NDR to detect indicators of compromise can also be extended to the edge for higher-fidelity DNS-based intrusion detection.
DNS attacks and DNS misuse are common for a reason. They're good at evading legacy security tools and operating covertly on the network. While there is no silver bullet for defending against them, looking at patterns of DNS behavior on the network can reveal post-compromise activity before it can result in a data breach.