I've read that monitoring domain name system (DNS) data can be a good way to determine if a network has been breached. Do you have any advice on what tools enterprises can use for DNS monitoring?
Ask the Expert
Have a question about network security for expert Brad Casey? Send them via email today! (All questions are anonymous)
Indeed, monitoring DNS data is an excellent way to determine whether your network has been breached. This data has become increasingly important because DNS is the primary way that bots communicate with their command-and-control (C2) nodes. Hence, suspicious DNS traffic is a telltale sign that a device on your network has been coopted into a botnet. While numerous DNS monitoring methods exist, the top three in my opinion are: domain age, suspicious domains and DNS failures. Let's review each method briefly.
Domain age. I consider it a good practice to script a Whois lookup and monitor all domains that attempt to traverse the network's gateway for the first time, paying special attention to the date created field. If the domain was registered as recently as two days ago, consider blocking any outbound traffic to that domain until further examination can be conducted.
Suspicious domains. The term suspicious is hard to define but easy to spot when you see it. For example, it is common for the domain google.com to traverse a network. However, it is not common to see the domain google.co1.123.abc. If you notice any outbound traffic to domains that seem weird or unusual, further examination would be prudent.
DNS failures. If there are a large number of DNS lookup failure messages entering your network, you could be the victim of someone utilizing a domain generation algorithm (DGA). In a nutshell, DGAs are utilized to create thousands of domains with the intent of communicating with only a handful of them. The communication with the actual domain is how bots are controlled by their corresponding C2 nodes.
In the end, each of the above-mentioned features should be easy for a seasoned security administrator to implement. The only feature that may prove difficult is the suspicious domains feature, because organizations will deem different things suspicious depending on the metric they use. However, domain age and DNS failures are easily scriptable and should not require the purchasing of additional hardware.
This was first published in December 2013