DNS Blind Spot

A recent DarkReading article discussed the subject of the DNS "blind spot". That is a topic that has always interested me, and I would like to discuss further in this post. The DarkReading article, for reference, can be found here: http://www.darkreading.com/analytics/attacks-rise-on-network-blind-spot/d/d-id/1141552?

Essentially, as the article discusses, DNS is often an under-monitored or a completely unmonitored application protocol within an organization. As such, it's not surprising that attackers leverage it for command and control, data exfiltration, and other purposes. Attackers are always looking for ways to persist/not to get caught, and unmonitored application protocols provide them a great way to do that. I have worked with malicious code that uses DNS to move binary files in and out of a network. The malware accomplished this through a series of Base64 encoded strings that were sent via DNS TXT records. Pretty scary stuff.

There are a number of angles one could take on this subject, but I would like to share a few reasons, in my experience, why organizations struggle with monitoring DNS. These reasons include:

• Logging challenges: Some DNS implementations do not support logging very well. For example, some implementations log DNS requests, but not their corresponding responses. Others may log both requests and responses, but may not "match up" requests with their corresponding responses. Yet others may not support logging at all. All of these situations present challenges to an organization, as it leaves the organization with an incomplete or non-existent data set that is extremely difficult to monitor from a security operations perspective.
• Decentralized implementation: Many organizations have a diverse, scattered DNS implementation. In these organizations, end users are not forced through a centralized DNS infrastructure. Before the organization can even entertain a discussion on monitoring DNS, that organization needs to identify and collect logs from all of the various DNS servers. This can quickly become an overwhelming challenge that usually results in DNS remaining unmonitored.
• Retention issues: DNS is an integral part of network communication, and thus, DNS logs can be quite voluminous. Often, this results in an organization making the decision not to collect DNS logs, even though they provide high value to security operations when implemented properly.
• Lack of awareness: Some people are simply not aware of the risk that unmonitored DNS presents and the value to security operations that monitoring DNS presents. Without this awareness, organizations are missing the initial "spark" necessary to infuse their security operations program with DNS monitoring.

These challenges may seem overwhelming, but there are some ways an organization can work around them. One way forward is a way that I have discussed previously on this blog, namely, the philosophy of collecting fewer, more generalized data sources of higher value to security operations. For example, a network forensics solution can bring us all the DNS logging we need, along with logging of a number of other application protocols we are likely interested in. This presents a centralized, easier to manage approach to monitoring DNS logs and eliminating that DNS blind spot. Whatever the solution, eliminating the DNS blind spot is critical.