Do You Even DNS Log Bro?

by Will Gragido, Chief Strategy Officer – Prevailion, Inc.

Intelligence analysis is dependent upon many things not the least of which are collections and access to data (e.g., pcaps, logs etc.) sourced from within the network. Prevailion affords its customers the ability to view intelligence related to real state of compromise outside the network’s perimeter. And though this is a unique capability and dataset, it requires correlation with data collected from within the network in order to pinpoint specific machines and machine-level activity. Why? To understand, which internal systems are behind the curtain of your public facing addresses. The key to remediation efforts based on Prevailion’s high-fidelity detection of compromise activity coming from your environment and mapping it to internal systems is having access to logging data related to your organization’s DNS architecture.

If I Am Not Logging DNS, Where Should I Begin?

To begin with, you may want to evaluate your organizations understanding of DNS. DNS is often a setup and forget type of system but is critical to keep the business always operational and often free from security issues. What is DNS you ask? The Domain Name System (DNS) is a hierarchical and decentralized naming system that’s purpose is to aid in the facilitation of communication between devices across the Internet. Put another way, it is the telephone book (remember those?) for the Internet. It acts as distributed directory service that has been in operation since 1985 providing an integral service to what the world enjoys and recognizes today as the Internet. DNS utilizes authorative name servers – servers that provide answers in response to questions posed about names in a DNS zone.  Authoritative-only name servers answer questions about domain names that have been configured by an administrator at a registrar or dynamic DNS provider. Name servers can also be configured to act as a DNS catching name server for zones (domains). This type of configuration stores DNS query results for a predetermined period of time for each domain-name record. Things of note with respect to DNS include:

  • Start of Authority (SOA)
  • IP Addresses (A record and AAAA records)
  • SMTP Mail Exchangers (MX)
  • Name Servers (NS)
  • Pointers for Reverse DNS Lookups (PTR)
  • Domain Name Aliases (CNAME)

Through the years DNS has been expanded to store records for other types of data useful in providing automatic lookup responses such as DNSSEC records.

DNS data that can be collected and monitored

There are many different DNS-related events that can be collected from a DNS server. The actual data available is dependent on the DNS server in use. Events that may be available for collection include, but are not limited to:

This metadata may be available for query logging (analytical) events:

  • Client IP address
  • Source addresses can help administrators identify devices that may be compromised on a local network, or malicious actors on the public Internet.
  • Domain name queried
  • The domain name in requests can be compared with a list of known malware domains. Esoteric domain names or repeated lookups may indicate the presence of malware.
  • Record requested
  • The types of records requested may be an indicator of malicious activity. For example, the TXTrecord in particular is often used for command-and-control or DNS tunneling.
  • Request flags
  • There are several status flags associated with a DNS message, including whether the message is a request or response, whether the query is recursive, DNSSEC status, etc.

Conclusions

DNS provides a critical service within the Internet today providing acting as an authoritative directory for users all over the world. Logging and monitoring DNS within your organization enables both network administrators and cybersecurity personnel alike to detect, identify, and triage issues more quickly in addition to providing them with a more robust understanding of which machines within their environment are communicating with which domains on a regular basis. This in turn, further enhances the network administrator and cybersecurity professionals understanding of what is “safe” or “benign” and what is less so from a DNS perspective. The benefits related to logging and examining DNS are myriad and afford the organizations who do so a deeper, richer, more contextually relevant experience thus affording them the opportunity correlated data and in particular, evidence associated with compromise and breach in a quicker fashion resulting in expedited efforts related to monitoring, observation, containment, and ultimately the ejection of the adversary from the environment. To learn more about how to leverage DNS to quickly determine compromised infrastructure well before traditional intelligence and threat detection solutions, visit Prevailion.com.

For More Information See the Following Sources:

 

The Latest

Diving Deep into UNC1151’s Infrastructure: Ghostwriter and beyond

Introduction: Prevailion’s Adversarial Counterintelligence Team (PACT) is using advanced infrastructure hunting techniques and Prevailion’s unparalleled visibility into threat actor infrastructure creation to uncover previously unknown domains associated with UNC1151 and the “Ghostwriter” influence campaign.  UNC1151 is likely a state-backed threat actor [1] waging an ongoing and far-reaching influence campaign that has targeted numerous countries across […]

Prevailion CEO, Karim Hijazi- Biden’s Cybersecurity Strategy

Prevailion CEO, Karim Hijazi, comments on lacking White House cybersecurity efforts Karim Hijazi lays out why Biden’s cybersecurity strategy lacks innovation and effectiveness to deal with modern adversaries already inside companies around the globe.    

Prevailion CEO, Karim Hijazi- Tmobile Hack

Prevailion CEO, Karim Hijazi, talks about the T-Mobile hack and cloned SIM cards Karim Hijazi says T-Mobile’s breach is the largest in carrier history and discusses SIM swapping and other forms of identity theft.    

Copyright 2021 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.