Passive DNS Unsung Hero

Passive DNS Monitoring – Why It’s Important for Your IR Team

Phil Hagen

Share this Project

DNS is an unsung hero among protocols during a network investigation. It’s almost universally used by other protocols such as HTTP, SMTP, and the like. It’s also a plaintext protocol, which can benefit an incident responder who cannot otherwise examine the contents of an encrypted connection. However, passive DNS monitoring (also known as DNS logging) is still somewhat rare in most environments. Adding a standalone means of logging DNS activity can be a relatively simple and inexpensive process. Red Canary also uses DNS activity records collected by the Carbon Black platform to aid in our threat detection service.

What Is Passive DNS Monitoring / DNS Logging?

Put simply, passive DNS monitoring is a method by which a traffic monitoring station examines the contents of DNS queries and responses, then logs that information in a standardized format to text files or other long-term storage mechanisms. The data points logged vary based on the software used. However, given the example query-and-response exchange below, most passive DNS logging software would record some common key points such as those listed below the graphic.

Passive DNS Monitoring log entry

Typical DNS query and response, with corresponding Passive DNS monitoring log entry.

Why Is Passive DNS Monitoring Important in DFIR?

These data points would be of extreme value during an incident response investigation. The hostname/IP address associations can help characterize NetFlow observations, which have no layer 7 context. Additionally, the server’s IP address can be useful in identifying clients that make direct requests to servers outside the environment. Such behavior might indicate a misconfigured resource, a platform with a hard-coded DNS server IP address, or a rogue actor that is ignoring internal DNS server directives assigned by DHCP or a domain hierarchy. When observing the DNS responses over time for a known Command and Control IP hostname, a skilled investigator can observe the different phases of an attacker’s campaign based on when the C2 IP addresses change from one region to another, or go from null-routed to operational IPs.

Passive DNS Monitoring: non-operational and operational phases of a compromise

Depiction of notional DNS behavior in non-operational and operational phases of a compromise.

Passive DNS Monitoring for Threat Intelligence

Perhaps the clearest use of such DNS log evidence would be to support findings that incorporate threat intelligence. The use cases here are numerous, but examples include flagging heavy query activity for newly-registered-domains or identifying a newly-observed domain from a list of the top 5,000 typically queried within your environment. Further, maintaining such logs for an appropriately long period of time can quickly aid an investigator to find the earliest evidence of compromise after a domain or domain-generation algorithm is identified as malicious or suspect. Again, since DNS activity is present in nearly any communication exchange, regardless of the eventual protocol, the baselines established from DNS observations can be almost universally valuable.

Four Approaches to Creating DNS Log Evidence

1: Use the DNS Server for DNS Logging

The DNS server itself may provide a means of logging such data. However, this functionality is often limited to queries only, which omits the critical fields present in the responses. Additionally, impact to the server is a concern raised by many administrators, so load testing is important before operational employment.

2: Deploy Passive DNS Monitoring Software

Another option is to deploy passive DNS monitoring software, which can be installed on the DNS server or onto a separate system that observes the DNS traffic through a network tap. Options for this observation model include the venerable BRO IDS, the tiny-footprint PassiveDNS project, and many others. Some infrastructure devices such as Palo Alto firewalls can perform such a function during the normal course of their operation as well.

Passive DNS monitoring: deployment using a network tap

Passive DNS monitor deployment using a network tap.

3: Outsource DNS Service

Larger organizations might use an outsourced DNS service such as OpenDNS (now part of Cisco). These services may provide some of the reporting an investigator would find useful for baselining and anomaly detection, but might not provide per-query/response fidelity. As with any potential, pre-collected source of evidence, it’s critical to evaluate its usefulness before an incident is underway. Users of these services should also be wary of any NAT actions that are being performed on their perimeter, as that may lose per-client awareness in the hosted service’s reporting.

4: Collect DNS Activity on Endpoints

A final option is to collect the DNS activity on each endpoint, then aggregate to a central location for analysis. This is the model Red Canary leverages, through our use of the Carbon Black sensor/collector platform. The endpoint sensor logs all new network sockets that the client attempts to open, as well as any associated hostname. This visibility at the client provides full-scope awareness of DNS activity across the enterprise. Since Red Canary is continuously polling our clients’ Carbon Black servers to identify conditions of potential exploitation, our ability to flag such activity is extremely fast. And, since the Red Canary threat detection process immediately overlays a variety of cyber threat intelligence sources, followed by streamlined human analyst review for all of our customers, we’re providing decisive, fully-informed threat detection notifications in hours.

Red Canary also uses a number of intel feeds in our process – to include Farsight’s most excellent Farsight’s Newly-Observed Domains (NOD) list, which we apply against all observed domain resolution activity. This immediate and universal intel application allows our analysts to quickly characterize a domain alongside the other behaviors for each binary execution event. This intelligence layer is included for all Red Canary customers – so they get the benefit of Farsight’s NOD against every single one of their endpoints from the moment Red Canary is operating in their environment.

Another Tip: Improve Your Incident Response with Autonomous System Numbers

If you’re not already collecting passive DNS log evidence in your environment, there are a lot of options at various price points and deployment scales. If you’re already collecting DNS queries and responses, congratulations! We’d love to hear what use cases you’ve found for this valuable data store. However, whether you choose raw, low-level collection or continuous semi-automated analysis to your incident response process, you’ll certainly see the immediate value it has to your information security posture.

View On-Demand Webinar: Incident Response