IT admins have the thankless task of having to watchdog devices, hosts, and networks for signs of malicious activity. Host intrusion detection and endpoint protection may be “must have” security measures for many organizations, but there’s nothing like monitoring DNS traffic if you’re looking to expose a RAT, rootkit, APT, or other malware that’s taken residence on your networks.
Criminals will exploit any Internet service or protocol when given the opportunity, and this includes the DNS. They register disposable domain names for spam campaigns and botnet administration, and they use compromised domains to host phishing or malware downloads. They inject malicious queries to exploit name servers or disrupt name resolution. They inject crafty responses to poison resolver caches or amplify denial of service attacks. They even use DNS as a covert channel for data exfiltration or malware updates.
You may not be able to keep pace with every new DNS exploitation but you can be proactive by using firewalls, network IDS, or name resolvers to report certain indicators of suspicious DNS activity.
What are you looking for?
DNS query composition or traffic patterns offer signs that suspicious or malicious activity is emanating from your networks. For example:
DNS queries from spoofed source addresses or addresses that you have not authorized for use but are not egress filtering especially when observed in conjunction with unusually high DNS query volume or DNS queries that use TCP rather than UDP) may indicate that infected hosts on your network are engaged in a DDoS attack.
Malformed DNS queries may be symptomatic of a vulnerability exploitation attack against the name server or resolver identified by the destination IP address. They may also indicate that you have incorrectly operating devices on your network. The causes for problems of these kinds may be malware or unsuccessful attempts to remove malware.
DNS queries that request name resolution of known malicious domains or names with characteristics common to domain generation algorithms (DGA) associated with criminal botnets and queries to resolvers that you did not authorize for use in many cases are dead giveaway indicators of infected hosts on your networks.
DNS responses also offer signs that suspicious or malicious data are being delivered to hosts on your networks. For example,length or composition characteristics of DNS responses can reveal malicious or criminal intent. For example, the response messages are abnormally large (amplification attack) or the Answer or Additional Sections of the response message are suspicious (cache poisoning, covert channel).
DNS responses for your own portfolio of domains that are resolving to IP addresses that are different from what you published in your authoritative zones, responses from name servers that you did not authorize to host your zone, and positive responses to names in your zones that should resolve to name error (NXDOMAIN) may indicate a domain name or registration account hijacking or DNS response modification.
DNS responses from suspicious IP addresses, e.g., addresses from IP blocks allocated to broadband access network, DNS traffic appearing on non standard port, unusually high number of response messages that resolve domains with short Times to Live (TTL) or unusually high number of responses containing "name error" (NXDOMAIN) are often indicators of botnet-controlled, infected hosts running malware.
Various forms of DNS monitoring can expose these threats, many in real time. In my next blog, I'll look at how you can implement mechanisms to detect these at Internet firewalls, using network intrusion systems, traffic analysis, or log data.