There are 79 million malware domains in the Cyber X-Ray database. Approximately 85% of these domains do not have an IP address. Below is an example of a malicious traffic report found in a passive state. Since domains do not have IP addresses, they are recorded as 0.0.0.0. That is why infected machines whose botnet C&C servers are constantly trying to connect to other security devices that work in Layer 7 (application layer) such as firewalls, proxy devices, and IPSs cannot be detected.
It is our belief that DNS analytics of corporate networks allows making security analysis of and detecting sophisticated attacks on the entire network. We have made it a commitment of ours to develop products that help you achieve this.
Certain malicious domains are only activated when they are about to be used to command a zombie army or botnet. These domains do not have an IP address when left unused, resulting in them being undetected in protocols other than DNS. This malicious traffic is often command centre connection requests generated by infected zombie devices. The lack of an IP address on these domains makes malicious traffic go unnoticed on devices such as IPSs and URL filtering solutions.
Another type of malicious activity that can only be viewed with DNS log analysis is associated with Domain Generation Algorithm (DGA) queries. DGA domains are those generated instantly by the machine according to the system clock. Domains are registered only when command is given and the botnet C&C’s IP address is entered. With the OTP logic used in two-factor authentication (2FA), domains are queried only a handful of times.
1- To prevent the command centre connection domains from being detected by cyber security researchers.
2- To unlock the zombie army at predetermined times.
Some malicious activities described above can only be seen as a result of DNS Log analysis because of the fact that infected clients are trying to connect the domains that do not have an IP address.
DNSSense DNSEye shows infected devices that are constantly trying to connect to the command center. These are suspicious activities and needs to be analyzed by SOC teams carefully.