Security Event Primer – DNS

Overview

This security primer provides information on general DNS operations, IDS event types, requirements for investigation, recommendations, and references.

Technical Summary

Domain Name System (DNS) is a distributed database used by TCP/IP applications for resolution between hostnames and their corresponding IP addresses. The resolution procedure is usually as follows:

1. An application sends a name query to the DNS Client.
2. The DNS client checks its local cache for a match. If no match is found, then it sends a query to the DNS Server.
3. The DNS Server looks for a match. If no match is found, then it continues the DNS query process until an authoritative record is located.
4. The DNS Client returns the result.

Common DNS event types include:

• Query Event – A query event is triggered when an observed domain in the DNS lookup matched a signature. These signatures trigger on initiated traffic where the source IP is performing a lookup on the destination IP with destination port 53 and the observed domain has either been associated with malware activity or a policy violation.
• Response Event – A response event is triggered when an observed domain lookup result contained either a NXDOMAIN or a sinkhole response that matched a signature. These signatures trigger on return traffic where the source IP is returning a response to the query performed by the destination IP with a source port of 53 and the observed domain has been associated with malware activity.
  • NXDOMAIN response – A NXDOMAIN response indicates the queried domain name was not resolvable through the DNS server’s lookup process. A combination of hostname in the domain lookup and the NXDOMAIN response will trigger these signatures.
  • Sinkhole response – A sinkhole response indicates the domain in the DNS lookup has been observed in malicious activity by a service provider and has subsequently diverted traffic to these domains to a non-malicious sinkhole essentially blocking traffic to the malicious site. This occurs to disrupt botnets and c2 infrastructure.
• Update Event – An update event is triggered when observed DNS traffic contains a resource record update from a host that is not part of your monitored infrastructure (External Host).

Requirements

• Logging: To respond to a DNS security incident, it is critical to have the appropriate level of logging configured on your managed devices. The most basic of logging that is required is DNS logging for your primary name servers used by network clients and DHCP logging for your servers that lease IPs to those clients. In Microsoft Windows environments, the primary name servers for an active directory domain will be the domain controllers. Please refer to your IT support vendor who manages your network and systems infrastructure to validate that you have DNS and DHCP client logging configured accordingly on your domain controllers.
  • Some caveats with logging to consider.
    • Potential storage requirements as a result to the volume of logging and retention of those logs
    • Performance implications on the logging devices, such as CPU, memory, and disk
  • Additional device logging configuration to consider: server event logs, authentication logs, endpoint AV logs, Web proxy logs, and network security device/firewall logs (this is a non-exhaustive list). This gives organizations collections telemetry, ideally centrally collected while resting independent from source systems, for tracing and locating malicious behavior, for historical lookup as well as alerting.

Recommendations

• It is recommended to investigate the source of the DNS requests for potential malicious activity. This can be done by reviewing your DNS logs to correlate the domain query and timestamp to identify the internal host that the DNS query originated from.
• Once the internal host that originated the DNS query is identified you will need to investigate this host for any indicators of compromise as identified for the specific threat. This could involve reviewing AV and firewall logs to determine the impact on the affected host.

Related CIS Sub-Controls

• 1.3 Use DHCP Logging to Update Asset Inventory – Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address management tools to update the organization’s hardware asset inventory. Sensor: Log Management System / SIEM.
• 7.7 Use of DNS Filtering Services – Use DNS filtering services to help block access to known malicious domains. Sensor: DNS Domain Filtering System.
• 8.7 Enable DNS Query Logging – Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious domains. Sensor: DNS Domain Filtering System.

  References

• CIS Controls Measures and Metrics V7
• NNT Security Blog | Finding the Culprit: Uncovering the Source of Malicious DNS Queries
• Microsoft | Reviewing DNS Concepts