DNS Monitoring

DNS Monitoring: How to Check Your Traffic for Threats

Cybercriminals are becoming more sophisticated in their attacks.

The Domain Name System (DNS) serves as a website’s identity and is the core component of its security architecture.

Unless your website has the appropriate DNS monitoring in place, there’s no reason why you cannot become a cybercriminal’s next victim.

We are offering informative tips on how to prevent security threats.

Why Do Cyber Criminals Target DNS?

Unfortunately, cybercriminals will target a vulnerable internet service or protocol, including a website’s DNS.

They can then register disposable domain names for a spam campaign or botnet administration.

What’s more, an attacker could use the domains to host malware or phishing downloads.

Malicious queries can also exploit a nameserver or disrupt a name solution.

Sadly, the cyber-attacks can potentially destroy a website’s performance, function, and reputation.

The servers of Dyn are a perfect example.

The company controls some of the internet’s DNS infrastructure. It experienced a cyber attack that brought down much of America and Europe’s internet on October 21st, 2016.

The new Mirai botnet attack has been classed as the largest kind in its history.

A variety of high-profile websites experienced a downtime, such as Twitter, The Guardian, CNN, Netflix, and Reddit.

While it may be a feat to prevent every potential DNS threat affecting a website, it’s essential to take action to avoid falling victim to a cyber attack.

Why DNS Monitoring?

More than a quarter of companies haven’t established responsibility for their DNS security, despite the fact DNS attacks have increased by more than 200%.

To prevent a website from becoming a cyber attack target, you must embark with regular DNS monitoring.

A DNS log monitors every connection your website makes with a visiting device.

To maintain website security, it’s essential to embark with DNS monitoring to inspect the traffic between a device and your local recursive resolver.

The forensic analysis can ensure you:

  • Identify the websites visited by an employer
  • Discover the malware/botnets connected to the C&C servers
  • Detect a DDOS attack
  • Pinpoint the Domain Generation Algorithm (DGA) and malicious domains accessed
  • Identify the dynamic domains accessed

When analyzing the DNS log, it’s essential to verify each domain against the DGA and malicious domain database.

If you’re unsure of where to start with DNS Monitoring, we’re offering six security systems to help you proactively protect your website.

1. Firewalls

Firewalls have the potential to expose DNS threats, so they’re an effective tool for DNS monitoring.

Most firewalls will allow webmasters to define rules to prevent IP spoofing.

For example, you could enter a rule that denies DNS queries from IP addresses outside an allocated number space. This could prevent a nameserver from exploitation in a DDoS attack.

It’s also beneficial to enable DNS traffic inspection for suspicious byte patterns or irregular DNS traffic, so you can take the steps to block a nameserver software exploit attack.

2. Traffic Analyzers

One of the best ways to identify harmful malware traffic is a passive traffic analysis.

A traffic analyzer will allow you to both capture and filter DNS traffic between a device and your local recursive resolver, which you can then save to a PCAP file.

Webmasters must create scripts to search the PCAP file to identify specific suspicious activities.

3. Passive DNS Replication

Passive DNS replication allows a webmaster to use sensors at the local recursive resolvers.

This creates a database containing each DNS transaction, such as the query or response, through a resolver or set of resolvers.

The replication can be instrumental in identifying one or more malware domains, particularly in cases when the malware operates algorithmically generated domain names (AGDA).

4. Intrusion Detection Systems

An effective intrusion detection system allows you to create rules that allow reporting on DNS requests from unauthorized networks.

It is beneficial to compose rules to either count or report:

  • NXDomain responses
  • DNS queries via TCP
  • Responses that contain resource records with short TTLs
  • Unusually large DNS responses
  • DNS queries to non-standard ports
  • plus more

All DNS queries should be carefully reviewed.

The intrusion detection systems can be integrated into firewalls, which will allow you to deny or permit rules for many of the checks listed above.

5. DNS Monitoring with Local Resolver Logs

Your local resolver logs are probably the most obvious and essential way to embark with DNS monitoring.

By enabling resolver logging, you can use a variety of tools to collect DNS server logs whilst exploring known malicious domains, such as OSSEC.

6. A Secure Registrar

Most websites are registered via a registrar company.

Unfortunately, if a cyber-attacker can compromise the account with the registrar, they can gain control over your domain name.

This means they can point the registrar to their chosen server, including their nameservers.

What’s more, they can transfer the domain to either a new owner or an offshore registrar – which means you might be unable to recover the domain.

Many intelligent cyber attackers may target an account’s password, or they may even launch a cyber attack on the registrar’s tech support.

You’ll want to avoid registrar hijacking, so you should select a registrar that provides heightened security precautions.

Look for services like multi-factor authentication.

Suspicious Signs to Analyze

It is important to pay close attention to any potential signs of malicious activity on your network.

We recommend analyzing the composition characteristics and length of DNS responses. This could help to identify malicious intent.

If the response messages are unusually large, this could be an amplification attack.

You should also review the answer or additional sections of the response message, which could be a sign of cache poisoning.

Conclusion

The biggest risk to a website is ignorance, which will not be bliss when you suffer a cyber attack.

There are various forms of DNS monitoring that will allow you to expose threats and keep your website secure.

It is up to a website admin to determine the right strategy to detect suspicious or malicious activity on your network.

While DNS monitoring doesn’t sound like a fun thing to do, it is essential for the security of your website.

Ensure you take the necessary steps to stop a cyber criminal in their tracks.