The Domain Name System (DNS) is a centralized system used by various organizations to translate domain names into IP addresses. It is an important service as it takes too much time to remember IP addresses instead of URLs or to manually configure all devices in a larger network. DNS security threats are among the most common types of cyber threats that occur today. DNS security should therefore, be an integral part of an organization's security plan.
1- The DNS log is a common infrastructure service used by all protocols. The DNS log contains the credentials for all services used in the corporate network. For example, you can get information about the protocol of web traffic only on the proxy server and about the log of e-mail traffic only on the e-mail server. The DNS log contains data about both types of traffic. Therefore, processing the DNS log means processing the entire corporate network.
2- Malicious traffic without IP address can be detected only through DNS log. Examples of domain types without IP address include:
a-According to Cyber X-Ray data, it was found that about 85% of malware domains do not have a direct IP address. Since there is no IP address, there is no Http request and since there is no log, it is only necessary to analyze the DNS log.
The screenshot below shows the addresses that users try to access even though there is no IP address.
b- DGA domain: these are domains created with a special algorithm depending on the system clock. These domains are registered only when the zombie network is commanded and has the IP address. The owner of the zombie army has two goals:
· Prevent command center connection domains from being discovered by security researchers
· Unlock the zombie army on a timed basis.
c-DNS tunnelling: With DNS tunnelling, data theft cannot be detected by DLP products. DNS tunnelling data can only be detected by analyzing the DNS log.
1. Ensuring the overall integrity and availability of DNS services that resolve hostnames on the network to IP addresses.
2. Monitoring DNS activity to detect potential security problems anywhere on your network.
Effectively monitoring DNS traffic on your network for suspicious anomalies is critical to early detection of a security breach. With a tool like Roksit Visibility, you can keep an eye on all the important metrics. With intelligent SIEM integration, you can set up alerts for a specific time period or as a result of a combination of abnormal actions. Roksit's artificial intelligence algorithms ensure a classification rate of over 99.5%. Based on this database, it sends only the data to SIEM that needs to be investigated by Soc teams. Thus, intelligent SIEM integration can save more than 95% of DNS log processing costs.