The Domain Name System (DNS) is a centralised system used by various organisations to translate domain names into IP addresses. It is an important service as it takes too much time to remember IP addresses instead of URLs or to manually configure all devices in a larger network. DNS security threats are among the most common types of cyber threats that occur today. DNS security should, therefore, be an integral part of an organisation’s security plan.
1- DNS log is a common infrastructure service used by all protocols. It contains information about all services used in the corporate network. For example, you can only get information about web traffic and e-mail traffic logs via a proxy server and an e-mail server, respectively. DNS log contains data on both types of traffic. Therefore, analysing DNS logs entails processing the entire corporate network.
2- Malicious traffic without any IP address can be detected only through DNS log analysis. Examples of domain types without IP addresses include:
a- Malware Domains: according to Cyber X-Ray database, about 85% of malware domains were found not to have a direct IP address. The lack of an IP address indicates an absence of HTTP requests, making DNS log analysis essential.
The screenshot below shows the addresses that users attempt to access despite the lack of an IP address.
b- DGA Domains: these are domains created with a particular algorithm based on the system clock. These domains are registered only when the zombie network is commanded and has an IP address. The owner of the zombie army has two goals:
i. To prevent cyber security researchers from detecting command centre connection domains,
ii. To unlock the zombie army at predetermined times.
c- DNS Tunnelling: DLP products are unable to identify data theft via DNS tunnelling. The only way to hunt down DNS tunneling data is to examine the DNS log.
1. Ensuring the overall integrity and availability of DNS services that resolve hostnames on the network to IP addresses.
2. Monitoring DNS activity to detect potential security problems anywhere on your network.
Effective monitoring of your network’s DNS traffic for suspicious anomalies is critical to early detection of a security breach. With a tool like DNSEye, you can keep an eye on all the important performance metrics of your network. With intelligent SIEM integration, you can set up alerts for a specific time period or as a result of a combination of abnormal activities. DNSSense’s artificial intelligence algorithms ensure a classification rate of over 99.5%. Based on this database, only information that needs to be investigated by SOC teams is sent to the SIEM solution. Thus, intelligent SIEM integration can save more than 95% of DNS log processing costs.