Indicators of Compromise in DNS Logs

September 27, 2017 No Comments

Featured article by Teri Radichel, Director of Security Strategy & Research, WatchGuard Technologies

Do you monitor your DNS logs? If not, you may be missing important clues about cyber attacks on your network. I recently attended SANS Network Security 2017 and watched a presentation by Seth Misenar on what he calls “actionable detects” in DNS logs. Security teams can use these indicators to prevent and detect security problems.

DNS is one of those network services that IT teams tend to set up and forget about unless it’s broken, according to Misenar. Attackers like DNS because it is a service at the edge of the network that allows outbound access from internal, protected hosts. Although you prevent direct access to protected hosts inside your network, DNS offers a conduit between the internal protected network and external untrusted networks.

Most services and hosts on a network need the ability to resolve domain names to an IP address. If an attacker can breach a DNS server, they may have access to a network that is open between it and all other hosts on the network. Additionally, malware on an infected machine inside the network may be able to leverage the DNS server to reach the Internet. According to Misenar, some of the ways an attack may use DNS traffic include command and control, tunneling and data exfiltration.

So how can network administrators and security professionals use the information in DNS server logs to spot a security problem? As with most security solutions, it comes down to limiting access and monitoring. Here are a few specific ways you can identify potential security problems using data from your DNS server:

1. Known Bad or Suspicious TLDs

A top-level domain is the extension at the end of a domain name such as .com, .net, .info or .biz. Over 1,000 TLDs exist in the list of top-level domains maintained by the Internet Assigned Numbers Authority (IANA). Does your business need to interact with all these TLDs? After doing some research, Misenar concluded that some of these TLDs host nothing but malicious sites. It may be beneficial to simply block known bad TLDs, but at a minimum, businesses can watch for strange TLDs and send an alert to check that requests to those TLDs were valid and not the result of malware on the network.

2. Domain Names Less Than 24 Hours Old

If a domain name has existed less than 24 hours, chances are it is malicious. Attackers use domain generation algorithms to produce new domain names and bring them online quickly. Often domains hosting malicious content are blocked or revoked, in which case the attackers will create new domain names to facilitate their activity. Perhaps completely blocking access to new domain names is the best policy, and on the off chance you do need a new domain, whitelist it.

3. NXDOMAIN

An NXDOMAIN response from a DNS server indicates that the domain name server could not resolve the IP address for that domain. This type of message could be the result of someone mis-typing a domain, but it could also be the result of a malicious domain that no longer exists. If a system on your network is trying to make requests and getting NXDOMAIN responses, it might be worthwhile to investigate the traffic and make sure malware has not compromised the host.

4. Know Your Normal

Most importantly, know what is normal for your business and watch for things out of the ordinary. For example, if you typically don’t make requests to businesses in other countries and you notice this is happening frequently, investigate. If DNS requests and responses suddenly change in frequency and size, make sure these requests are legitimate. Each business is different. The traffic patterns that are abnormal for one business may be normal for another.

These are just a few ways IT and security teams can use DNS logs to find indicators of compromise (IOCs) that point to a security problem. DNS is an often overlooked and underestimated attack vector on the network. By limiting access to unnecessary DNS destinations and monitoring DNS logs for suspicious activity, you may be able to prevent or detect security problems on your networks.