Answer

Using DNS monitoring to detect network breaches

I've read that monitoring domain name system (DNS) data can be a good way to determine if a network has been breached. Do you have any advice on what tools enterprises can use for DNS monitoring?

    Requires Free Membership to View

Ask the Expert

Have a question about network security for expert Brad Casey? Send them via email today! (All questions are anonymous)

Indeed, monitoring DNS data is an excellent way to determine whether your network has been breached. This data has become increasingly important because DNS is the primary way that bots communicate with their command-and-control (C2) nodes. Hence, suspicious DNS traffic is a telltale sign that a device on your network has been coopted into a botnet. While numerous DNS monitoring methods exist, the top three in my opinion are: domain age, suspicious domains and DNS failures. Let's review each method briefly.

Domain age. I consider it a good practice to script a Whois lookup and monitor all domains that attempt to traverse the network's gateway for the first time, paying special attention to the date created field. If the domain was registered as recently as two days ago, consider blocking any outbound traffic to that domain until further examination can be conducted.

Suspicious domains. The term suspicious is hard to define but easy to spot when you see it. For example, it is common for the domain google.com to traverse a network. However, it is not common to see the domain google.co1.123.abc. If you notice any outbound traffic to domains that seem weird or unusual, further examination would be prudent.

DNS failures. If there are a large number of DNS lookup failure messages entering your network, you could be the victim of someone utilizing a domain generation algorithm (DGA). In a nutshell, DGAs are utilized to create thousands of domains with the intent of communicating with only a handful of them. The communication with the actual domain is how bots are controlled by their corresponding C2 nodes.

In the end, each of the above-mentioned features should be easy for a seasoned security administrator to implement. The only feature that may prove difficult is the suspicious domains feature, because organizations will deem different things suspicious depending on the metric they use. However, domain age and DNS failures are easily scriptable and should not require the purchasing of additional hardware.

This was first published in December 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Expert Discussion

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest