The domain name system, better known as DNS, is one of the most critical network protocols in technology today. It is so common that it would be surprising for a computer to not use DNS while the device is turned on.
The basic functionality is simple, but it has significant complexity under the covers, and it can give security teams tremendous insight into the operations of a network. On the other hand, there have been many attacks on DNS servers, and even attacks that use DNS to their advantage.
How DNS works
DNS is the domain name system used for looking up human-friendly names of IP addresses, much like a telephone book. It is key to the operation of the internet, and it is relied upon by many other protocols. It also gives a network operator additional flexibility to make changes, such as redirecting one server to a different server by modifying a DNS entry to point to a different IP address.
DNS is also used by many types of malware for command and control (C&C) connections referencing DNS names in configuration files; even domain-generating algorithms have been used to set up C&C connections. DNS provides access to data, including internet protocol addresses -- A records for IPv4 and AAAA records for IPv6 -- as well as mail exchanger records for email servers.
One problematic option that has been used recently by threat actors is called TXT (text) records. DNS TXT records can be used to record any text within a DNS entry.
How DNS TXT records can be abused
DNS has received significant attention in the security community, including the usage of DNS servers in distributed denial-of-service attacks.
One area of DNS security that is starting to get more attention is how DNS can be used as a covert channel for data exfiltration. An attack was observed by Cisco Talos researchers where DNS TXT record queries were used for a C&C connection.
In the attack, a phishing email with a malicious Microsoft Word document is sent to a victim, and a macro executes a PowerShell command on the endpoint. The malware uses DNS TXT records for sending commands to the endpoint and for sending the output data from the command back to the C&C server. The malware encodes the command to make it more difficult to detect the potentially suspicious network communications.
Enterprises already have methods they can use to defend against malicious actors who abuse DNS TXT records to exfiltrate data from the enterprise; those same methods can also be effective against malicious actors abusing DNS TXT records to control their C&C networks. The DNS log data can be used to identify potentially suspicious domains being looked up, as well as the source IP address requesting the lookup.
Talos includes a listing of the malicious domains in its indicators of compromise section of the report. The source IP address could be a system infected with malware, and it can be further investigated by security teams. By including DNS as a data source to use in incident response, an enterprise could find other infected systems.
Talos outlined several steps in the report to mitigate this DNS threat, including using a service that monitors DNS, antiphishing tools, antimalware network tools, threat intelligence services and endpoint security products. Talos also released a Snort rule that can detect the malware on the network.
One of the most attractive features of using DNS as a security control is that it usually doesn't require any changes to endpoints, and it can be used across an entire network. An enterprise may want to only allow approved DNS servers to be used so the enterprise can not only ensure the DNS service is secure, but can also monitor the DNS data.
DNS is a mission-critical service for enterprises, and it is also a gold mine of valuable data for protecting your enterprise. DNS data can be mined for threat intelligence, and DNS itself can also be used to redirect malware-infected hosts to a captive portal to remediate the malware.
Enterprises can add new security tools to monitor DNS without having to make significant changes to their network, which can make these tools very attractive to enterprises.
Read about how ransomware has shifted to destruction of service attacks
Find out why embracing a hacker mindset can be valuable
Learn about the differences between security assessments and audits