5 Best Ways To Monitor DNS Traffic For Security Threats

Jan 30, 2018 | 5:05 pm

Published by | Vikrant Singh

5 Best Ways To Monitor DNS Traffic For Security Threats –


DNS (Domain Name System) is responsible for IP resolving i.e domain names like cyberops.in will be resolved to its particular IP address as x.x.x.x. But nowadays DNS attacks are in practice in which your ip is resolved to some malicious or phishing pages known as DNS spoofing. Let us see how you can monitor the DNS traffic using security systems and name resolvers to be safe from such attacks

  1. 1. Firewalls
    Firewall is the most prevalent security system. These firewalls let you define rules to prevent IP spoofing and hence IP resolving. You need to include a rule to deny DNS queries from IP addresses outside your allocated numbers space to prevent your name resolver from being exploited as an open reflector in DDoS attacks. And you need regular basis inspection of DNS traffic for suspicious byte patterns or anomalous DNS traffic to block name server software exploit attacks. Documentation describing how popular firewalls provide this feature is readily available. Some of the best-known Firewall providers are Palo Alto Networks, Cisco Systems, WatchGuard.

2. Traffic analyzers
Network Sniffers like Wireshark and Bro show that passive traffic analysis can be useful in identifying malware traffic. All you need to do is Capture and Filter DNS traffic between the clients and your resolver, and save it to PCAP extension file. You can create your scripts to search the PCAP file for specific suspicious activities you are investigating, or you can use a really helpful tool PacketQ (originally DNS2DB) to SQL query the PCAP file directly.

3. Intrusion detection systems
If you are using tools like Snort, Suricata, OSSEC, etc then you can compose your own rules to report DNS requests from unauthorized clients. You can also compose rules to count or report NXDOMAIN responses, responses containing resource records with short TTLs, DNS queries made using TCP, DNS queries to non-standard ports, suspiciously large DNS responses, etc. Any value in any field of the DNS query or response message is basically “in play”. Intrusion prevention services in firewalls allow you to permit/deny rules for many of the most common of these checks.

4. Passive DNS replication
Here we can use sensors at resolvers to create a database that contains every DNS transaction (query/response) through a given resolver or set of resolvers. Including passive DNS data in your analysis can be instrumental in identifying malware domains, especially in cases where the malware uses algorithmically generated domain names (DGAs). Palo Alto Networks firewalls and security management systems that use Suricata as an IDS engine (like AlienVault USM or OSSIM) are examples of security systems that pair passive DNS with IPS to block known malicious domains.

5. Logging at your resolver
The final way is your logs of local resolvers which is the most obvious data source for investigating the DNS traffic. All you need to do is Enable Logging and then you can use tools like Splunk, OSSEC, etc to collect the DNS server logs for investigating any malicious domains.

(Cyberops, Cyberops Infosec, VAPT, Cyber Security, Ethical Hacking, Secured Application Development)