DNS analytics - PSJoshi/Notes GitHub Wiki

Domain name service (DNS) queries are generated every time a user visits a web page or sends an email. As we all know, DNS allows domain name to be resolved into its corresponding IP address. Security administrators often use this DNS data to understand what is happening in their networks. In a large and high speed network setup like Govt organization,scientific institutes etc, DNS queries result in few million counts per day and this sheer volume of data poses a significant challenge.

Additionally, many large organizations usually run multiple nameservers to provide resiliency, making the task that much harder. While there exists many tools (open source as well commercial) to give you visibility of the DNS data, deciphering meaningful signals or insights from a vast number of DNS data is not easy job.

Further, there are not many tools to help analyse DNS data in-depth as we may wish and that too in real time. Of course, some tools are commercially available but at an exorbitant cost.e.g. CISCO OpenDNS. The emergence of big data technologies like Apache Spark/Hadoop in open source will enable us to create/write a tool that can analyse terabytes of DNS data in real time. This, in turn, will allow us greater visibility into the DNS traffic patterns and will help us extract meaning insights/intelligence.

Role of Passive DNS

Passive DNS is a technique for collecting, indexing and storing domain name data over time and it is proven to be useful for identifying DNS attacks by linking domain names with IP and giving the ability to forensically link malicious domains and malicious IP addresses. Domain names being used for attacks of different types generally exhibit certain properties - e.g. malicious domains change their IPs from one to other in short span of interval -say, less than 300sec.

It is possible to use international character sets for domain names apart from English and international domain names(IDNs) are now common for many site domains. But, by using characters from different alphabets, it is possible to craft malicious domain names that are indistinguishable from the names used by legitimate companies and organizations for domains.

IDNs can be identified through the use of passive DNS as it monitors domain registrations and an alert is raised when counterfeit IDNs or domains generated by domain generation algorithms are registered.

DGAs are algorithms that can create hundreds or thousands of domains per second. These are often used for criminal activity - either for email spam or for phishing campaigns. If one of the domain is caught for malicious activity, they will quickly change the domain to another domain and thwart the blocking. DGA domains are used by attackers for issuing botnet commands, but only a small number of those domains are registered as bots. Passive DNS monitoring can be used to track failed DNS responses as bots attempt to connect to a valid command and control domain.

It is recommended to keep an inventory of domains visited in the organization and build a baseline of DNS activity and flag off an alert when something unusual happens.

It is recommended to pro-actively manage DNS on network and thwart attempts such as hijack domain, data ex-filtration over DNS, Distributed DDoS.

Links

• Cyber hunting with DNS - https://www.corvil.com/blog/2016/cyber-hunting-with-dns
• DNS Traffic analysis - https://svs.informatik.uni-hamburg.de/publications/2016/2016-04-15-Herrmann-DNS-Traffic-Analysis.pdf
• Using DNS logs as security information source - https://www.petri.com/dns-security-information-source
• Show me your DNS logs I will learn about you - https://blog.rootshell.be/2011/11/03/show-me-your-dns-logs-ill-learn-about-you/
• Tenable Using log correlation engine to monitor DNS - http://static.tenable.com/prod_docs/LCE_DNS.pdf
• Passive DNS monitoring essential for IR team - https://www.redcanary.com/blog/passive-dns-monitoring-your-ir-team-needs-it/
• Network forensics with windows analytical logging - https://blogs.technet.microsoft.com/teamdhcp/2015/11/23/network-forensics-with-windows-dns-analytical-logging/
• Identify threats with dns logging - http://networkstr.com/dnscentric/identify_threats_with_dns_logging
• DNS analytics - https://www.botconf.eu/wp-content/uploads/2014/12/2014-3.3-DNS-Analytics-Case-Study.pdf
• DNS analytics dashboard - https://blog.cloudflare.com/dns-analytics/
• Monitor DNS traffic - Darkreading article - https://www.darkreading.com/analytics/threat-intelligence/5-ways-to-monitor-dns-traffic-for-security-threats/a/d-id/1315868?
• Monitoring analytics - https://dyn.com/monitoring-analytics/
• DNS analysis - https://cyberdefenses.com/chrime-and-constellation/
• Keep track of newly registered domains/expired domains - https://isc.sans.edu/forums/diary/Tracking+Newly+Registered+Domains/23127/

Enrich DNS records using:

• ASN
• Country
• City
• Whois
• email addresses of admins

Minimize effects from malicious clinets sending DNS traffic by:

• Rate limiting DNS queries for "ANY" records
• Rate limiting DNS responses with extremely long "TXT" records
• Rate limiting DNS requests with extremely long "TXT" records
• Rate limiting duplicate DNS queries that exceed a threshold
• Blacklisting domain names with large number of "A" records
• Monitoring of client IPs that is responsible for maximum queries and using most bandwidth

To protect against DNS cache poisoning:

• Using new random source ports for each DNS query

• Using random transaction IDs for each DNS query

• Shuffling (round-robin or any other scheme) the order of authoritative nameservers used for DNS query

• Ref - https://blogs.cisco.com/security/debunking-the-myths-of-dns-security

Detection of DNS tunneling

DNS is most commonly allowed service in any network and is used to transport domain name information. Mostly, DNS communication is un-encrypted. DNS tunneling involves communication between internal host and a malicious external host. It is often used for exfiltration of smaller data like password, private keys. It is also used as a channel for Command and Control (C&C) activities of botnet communication. It is seen that DNS record types like TXT,A are commonly used for C2 communication.

Tunneling detection mechanisms

• Traffic to external DNS servers should be continuously monitored and any deviation should be investigated.
• Rate of outbound DNS requests should be monitored. If there is surge in outbound DNS queries, it needs investigation. Further, you can also make comparison based on volume of DNS queries.
• DNS request length is also a good indicator for detection of DNS tunneling.