Simple ways to improve your DNS resilience and security: Monitoring, blocking and altering queries
Your DNS system can be an invaluable part of your information security toolkit. By blocking, altering and monitoring the resolution of domain names you can protect systems and defend information from attacks. In particular, The ability to prevent the resolution of malicious domains, and to detect infected and compromised systems from reaching out to them is invaluable.
Much of the intelligence that Janet CSIRT receives on malware infections stems from sinkholes. These are where the DNS records for domains involved in malware command and control infrastructure are redirected towards a honeypot system that monitors and reports on the data it receives. The systems used in the NCA/FBI's action against GameOver Zeus and Cryptolocker are a prime example, as was the effort to disable the Conficker botnet.
Passive DNS is another example of how DNS data can be used in incident response. By logging all DNS queries you can form a database which you can later search for valuable information. It can provide answers to questions such as "What domains resolve to 1.2.3.4?" which is often wildly different to "What is the reverse DNS for 1.2.3.4?". We frequently use these types of systems when analysing netflow data.
We recommend looking into how your DNS setup can be configured to do all these things. Can you redirect DNS queries to a particular IP? Can you log client requests? Can you block a particular domain name? Even if you don't setup these features right away, thinking about these questions now will help you prepare to defend your systems against future attacks.
We provide information on blocking and redirecting domain names in BIND and Windows DNS.
