Q

Using DNS monitoring to detect network breaches

Brad Casey highlights three DNS data-monitoring methods that can help organizations determine if their networks have been breached.

I've read that monitoring domain name system (DNS) data can be a good way to determine if a network has been breached.

Do you have any advice on what tools enterprises can use for DNS monitoring?

Ask the Expert

Have a question about network security for expert Brad Casey? Send them via email today! (All questions are anonymous)

Indeed, monitoring DNS data is an excellent way to determine whether your network has been breached. This data has become increasingly important because DNS is the primary way that bots communicate with their command-and-control (C2) nodes. Hence, suspicious DNS traffic is a telltale sign that a device on your network has been coopted into a botnet. While numerous DNS monitoring methods exist, the top three in my opinion are: domain age, suspicious domains and DNS failures. Let's review each method briefly.

Domain age. I consider it a good practice to script a Whois lookup and monitor all domains that attempt to traverse the network's gateway for the first time, paying special attention to the date created field. If the domain was registered as recently as two days ago, consider blocking any outbound traffic to that domain until further examination can be conducted.

Suspicious domains. The term suspicious is hard to define but easy to spot when you see it. For example, it is common for the domain google.com to traverse a network. However, it is not common to see the domain google.co1.123.abc. If you notice any outbound traffic to domains that seem weird or unusual, further examination would be prudent.

DNS failures. If there are a large number of DNS lookup failure messages entering your network, you could be the victim of someone utilizing a domain generation algorithm (DGA). In a nutshell, DGAs are utilized to create thousands of domains with the intent of communicating with only a handful of them. The communication with the actual domain is how bots are controlled by their corresponding C2 nodes.

In the end, each of the above-mentioned features should be easy for a seasoned security administrator to implement. The only feature that may prove difficult is the suspicious domains feature, because organizations will deem different things suspicious depending on the metric they use. However, domain age and DNS failures are easily scriptable and should not require the purchasing of additional hardware.

This was first published in December 2013

Dig deeper on Monitoring Network Traffic and Network Forensics

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.
Related Discussions

Brad Casey, Contributor asks:

How does your organization monitor DNS traffic? If not, why not?

0  Responses So Far

Join the Discussion

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close