The Domain Name System (DNS) is the phonebook of the Internet. Humans access information online through domain names, like nytimes.com or espn.com. Web browsers interact through Internet Protocol (IP) addresses. DNS translates domain names to Ip addresses. so browsers can load Internet resources. Most network software, including malware, relies on it to resolve domains to IP addresses before it can establish connections over protocols such as HTTP(S), SMTP, and many others. This means that DNS logging will contain a more complete record, not limited to HTTP(S) traffic, of domains access by endpoints in the environment, making it a valuable log source for defenders.
USE CASE: DNS QUERY
Objective: The mission of this hunt is to drill down DNS logs to baseline common domains queried by endpoints in the environment as well as identify potentially infected endpoints by looking for possible DNS tunneling, domain generation algorithm (DGA) domains, and traffic to risky top-level domains (TLDs).
Log Source & Requirements: DNS query logging
Duration: 30 Days
DNS Logs Anomaly Hunting Checklist for Soc Analyst
- Check for the hosts with a high volume of uncommon record types (TXT, NULL, CNAME, etc.)
- Command and control channels may utilize specific DNS records such as ( TXT and CNAME requests ) to execute malware.
- Explore Top Level Domains, TLDs (.xyz, .me, .biz, etc ), and TLDs for geographical regions in which your organization does not regularly operate.
- The proliferation of TLDs has made it easier for attackers to continually add new domains to their infrastructure to evade threat intel lists, as well as register doppelganger domains for common websites.
- Inbound/ Outbound Requests for TLDs of geographical regions outside of your organization’s point of presence should be considered suspicious and reviewed, especially regions synonymous with cybercrime and anonymization.
- Aggregate and Filter on DNS application logs with the response code NXDOMAIN (domain does not exist) to review hosts seen with a high volume of DNS resolution failures.
- There are many benign reasons for failed DNS queries; however, the abnormal volume can be a strong indicator of possible threat activity. For example, malware utilizing Domain generation algorithms ( DGAs ) will cycle through multiple generated domains until a valid reply is received. Since most of the domains requested will not exist, it will generate a high volume of NXDOMAIN responses. In addition, abnormal NXDOMAIN volume could highlight hosts requesting malicious domains that are no longer active.
- Look for hosts with high DNS request volume for multiple subdomains of a single parent domain.
- A common method of communicating data is by including it in the query string itself in place of the subdomain (commonly encoded using Base64). Identifying requests of multiple suspicious subdomains for a specific domain could help to highlight this method of communication.
- Identify suspicious requests by reviewing queries of domains that are abnormally long, or domains with a high level of entropy.
- Hunting abnormal long queries with a high amount could help identify encoded data hidden in query strings as well as evidence of DGA domains.
- Review endpoints process names for any unusually named processes or processes that are not regularly seen generating logon requests.
- Attackers can simply register new domains to evade detection by threat intel lists. Identifying newly registered domains could help to easily identify suspicious activity.
- DNS fluxing is a technique used by attackers to hide an actual phishing or malware domain behind constantly changing compromised hosts (IP) which are acting as proxies. To accomplish this, the Time to Live (TTL) for DNS is set very low (close to 5 min) so that the changes made in DNS will reflect quickly over the internet. Because it is constantly changing, this makes it hard to identify, and take down the actual source.DNS query for a domain, having a TTL less than 5-10 mins, should be one way to hunt. Then getting different IP addresses for the same domain is also a way to hunt.
- Allowed Traffic on Port 53 Inbound Transition Control Protocol (TCP), zone transfer and should only be allowed between primary and secondary DNS servers. If zone transfer happens with an external IP/Domain which is considered as a high alert.
- DNS Should Not Query Unusual Destinations, this often indicates the potentially malicious traffic.