Last Updated on August 1, 2021 by Admin 2
You suspect there is a threat against your DNS server that makes use of the query process.
What type of traffic should you monitor?
You should monitor UDP traffic. DNS servers communicate queries using UDP. In one example of a DNS attack type that makes use of UDP (but not the only one), a malicious individual queries your DNS server for a record unknown to the DNS server. The server then does that it is designed to do, which is forward that query to the domain name listed in the record. In this attack, the listed domain is a malicious domain, and the malicious DNS server responds with a record, but within the record is hidden malware that infects the DNS server.
Using DNS server logs, you can identify this type of communication by performing retrospective analysis to determine when the malware file entered the network.
Many security products maintain a list of communication by performing retrospective analysis to determine when the malware file entered the network.
Many security products maintain a list of known problematic DNS domains. They scan the DNS records (which can be huge in size) for matches and alert you to any communication with a known problem domain.
TCP is not used by DNS for queries. Query traffic will fit into a UDP packet. Because UDP is much faster than TCP, it was chosen as the transport protocol for queries. Reliability is provided by DNS at the application layer.
ARP is used to resolve IP addresses to MAC addresses. It is not a protocol used in DNS query communication.
HTTP is a protocol used by web servers and would be of no use in mapping to find a threat actor that involves DNS servers. However, HTTP headers can be used to map HTTP attacks to their source.
HTTP logs and DNS logs can be correlated to one another. The DNS log will show the domain name and IP address and by matching those to the HTTP log we can identify the contents of the HTTP header to identify the attack type.