DNS Servers
Overview
Analyzing DNS server logs to detect DNS tunneling, suspicious domain resolutions, and other DNS-related security threats.
Sample products
- Infoblox DNS
- Microsoft DNS Server
- Cisco Umbrella DNS Security
- BIND
Use Case Categories
| Category | Description |
|---|---|
| Anomaly Detection and Threat Intelligence | Monitor DNS traffic for anomalous behavior and security threats using anomaly detection algorithms and threat intelligence feeds. Identify DNS-based attacks, such as DNS tunneling, DNS hijacking, or DNS amplification attacks, to detect and respond to security incidents in real time. |
| DNS Zone Transfer Monitoring | Monitor DNS zone transfer activity and zone transfer logs to ensure secure and authorized replication of DNS zone data between primary and secondary DNS servers. Detect unauthorized zone transfers, zone transfer failures, and DNS configuration errors to prevent DNS data leakage and DNS hijacking attacks. |
| DNS Traffic Analysis | Monitor DNS query logs and traffic patterns to analyze DNS query volume, query types, and DNS request sources. Identify abnormal DNS traffic patterns, such as DNS amplification attacks, DNS tunneling, or DNS-based malware infections, to detect and mitigate security threats. |
Core Use Cases
| Alert Name | Description |
|---|---|
| Suspicious Domain Resolution | Monitor DNS server logs for resolution requests to suspicious or known malicious domains. |
| DNS Tunneling Detection | Monitor DNS server logs for signs of DNS tunneling, such as unusual query patterns or high-volume requests. |
| Domain Generation Algorithm (DGA) Detection | Monitor DNS server logs for signs of domain generation algorithms (DGAs) used by malware to generate random domain names. |
| Anomaly in DNS Zone Transfer Requests | Monitor DNS server logs for abnormal DNS zone transfer requests, such as requests from unauthorized or unexpected sources. |
| Unauthorized Zone Transfer Attempt Detection | Monitor DNS server logs for attempts to perform unauthorized DNS zone transfers. |
| Suspicious DNS Server Configuration Changes | Monitor DNS server configuration files for unauthorized modifications or changes. |
| Anomaly in DNS Response Behavior | Monitor DNS server logs for anomalies in DNS response behavior, such as unexpected response codes or unusual response times. |
| Anomaly in DNS Query Patterns | Monitor DNS server logs for abnormal patterns in DNS query traffic, such as unusual frequency or volume of queries. |
| DNS Beaconing Detection | Monitor DNS traffic for patterns consistent with beaconing behavior, where compromised endpoints attempt to communicate with command and control servers using DNS queries. |
| DNS Cache Poisoning Detection | Monitor DNS cache for signs of cache poisoning attacks where attackers inject fraudulent DNS records into the cache to redirect traffic. |
| DNS Data Exfiltration Detection | Identify and analyze DNS traffic patterns indicative of data exfiltration attempts using DNS tunnels or covert channels. |
MITRE ATT&CK
T1560, T1583, T1568, T1043, T1071, T1560, T1018, T1048, T1033, T1083, T1057, T1562, T1016, T1053