Do You Even DNS Log Bro?

by Will Gragido, Chief Strategy Officer – Prevailion, Inc.

Intelligence analysis is dependent upon many things not the least of which are collections and access to data (e.g., pcaps, logs etc.) sourced from within the network. Prevailion affords its customers the ability to view intelligence related to real state of compromise outside the network’s perimeter. And though this is a unique capability and dataset, it requires correlation with data collected from within the network in order to pinpoint specific machines and machine-level activity. Why? To understand, which internal systems are behind the curtain of your public facing addresses. The key to remediation efforts based on Prevailion’s high-fidelity detection of compromise activity coming from your environment and mapping it to internal systems is having access to logging data related to your organization’s DNS architecture.

If I Am Not Logging DNS, Where Should I Begin?

To begin with, you may want to evaluate your organizations understanding of DNS. DNS is often a setup and forget type of system but is critical to keep the business always operational and often free from security issues. What is DNS you ask? The Domain Name System (DNS) is a hierarchical and decentralized naming system that’s purpose is to aid in the facilitation of communication between devices across the Internet. Put another way, it is the telephone book (remember those?) for the Internet. It acts as distributed directory service that has been in operation since 1985 providing an integral service to what the world enjoys and recognizes today as the Internet. DNS utilizes authorative name servers – servers that provide answers in response to questions posed about names in a DNS zone.  Authoritative-only name servers answer questions about domain names that have been configured by an administrator at a registrar or dynamic DNS provider. Name servers can also be configured to act as a DNS catching name server for zones (domains). This type of configuration stores DNS query results for a predetermined period of time for each domain-name record. Things of note with respect to DNS include:

• Start of Authority (SOA)
• IP Addresses (A record and AAAA records)
• SMTP Mail Exchangers (MX)
• Name Servers (NS)
• Pointers for Reverse DNS Lookups (PTR)
• Domain Name Aliases (CNAME)

Through the years DNS has been expanded to store records for other types of data useful in providing automatic lookup responses such as DNSSEC records.

DNS data that can be collected and monitored

There are many different DNS-related events that can be collected from a DNS server. The actual data available is dependent on the DNS server in use. Events that may be available for collection include, but are not limited to:

This metadata may be available for query logging (analytical) events:

• Client IP address
• Source addresses can help administrators identify devices that may be compromised on a local network, or malicious actors on the public Internet.
• Domain name queried
• The domain name in requests can be compared with a list of known malware domains. Esoteric domain names or repeated lookups may indicate the presence of malware.
• Record requested
• The types of records requested may be an indicator of malicious activity. For example, the TXTrecord in particular is often used for command-and-control or DNS tunneling.
• Request flags
• There are several status flags associated with a DNS message, including whether the message is a request or response, whether the query is recursive, DNSSEC status, etc.

Conclusions

DNS provides a critical service within the Internet today providing acting as an authoritative directory for users all over the world. Logging and monitoring DNS within your organization enables both network administrators and cybersecurity personnel alike to detect, identify, and triage issues more quickly in addition to providing them with a more robust understanding of which machines within their environment are communicating with which domains on a regular basis. This in turn, further enhances the network administrator and cybersecurity professionals understanding of what is “safe” or “benign” and what is less so from a DNS perspective. The benefits related to logging and examining DNS are myriad and afford the organizations who do so a deeper, richer, more contextually relevant experience thus affording them the opportunity correlated data and in particular, evidence associated with compromise and breach in a quicker fashion resulting in expedited efforts related to monitoring, observation, containment, and ultimately the ejection of the adversary from the environment. To learn more about how to leverage DNS to quickly determine compromised infrastructure well before traditional intelligence and threat detection solutions, visit Prevailion.com.

For More Information See the Following Sources:

• https://nxlog.co/whitepapers/dns-logging
• https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)
• https://cloud.google.com/dns/docs/monitoring
• https://kb.isc.org/docs/aa-01526