dns monitoring

Written By puxnet

DNS, or the Domain Name System, is often overlooked in network traffic monitoring. However, this seemingly simple service plays an important role in understanding and securing your network. Let's talk about how DNS fits into this crucial aspect of network management.

DNS is essentially like a phone book for the internet. It translates human-readable domain names (like google.com) into machine-readable IP addresses. Every time you visit a website, your device sends a DNS query to find the corresponding IP address.

types of DNs servers

  • Recursice Server/ resolver- finds the IP address for a domain name. If the recursive server receives a request for an IP address and it familiar with it, it can respond right away. If the recursive server doesn’t know the IP address it goes to the root domain server.

  • Root DNS server- Is the starting point for a DNS lookup, there are 13 root domain servers in the world. Unlike other DNS servers, root servers don’t store a massive amount of data, they point requests in the direction of the next server.

  • Top level DNS servers- look after larger areas, top level DNS refers to the suffix in web domain .org, .nz, .com which are all different top level servers. There are multiple types of TLDs as the internet expands. .com was the most common TLD for years and most common for businesses

what is nat (network address translation)?

Network address translation is used to map one IP address into another. Normally public facing applications will be hosted behand this as it allows a single IP address to be shared by multiple devices on a private network. Its used to translate the private IP Addresses of individual devices to the public IP of a network router, which is used to send data packets containing that IP address as a header and communicate with servers.

DNS is used to resolve domain names to these public IP addresses so your device can access them, NAT is used to resolve private IP address and translate them to your public facing IP address.

dns attacks

  • DNS spoofing- also known as DNS poisoning is where the records that store translations between websites and IP addresses are altered. So web traffic can be directed to phishing or spoofing websites. In these cases, the user can be tricked into inputting credentials or downloading malware.

  • DNS Hijacking- Similar to spoofing but the user is redirected to a server under the attacker’s control, this website can also trick the user into giving up PII (personal identifiable information) or credentials.

  • DNS Tunneling- Data from other applications or protocols is encoded into the structure of DNS responses and queries. This can include information fro C2 (command and control) servers, malicious payloads. This data is encoded into DNS packets which are allowed to pass through firewalls and network security tools.

  • DNS Amplification- A form of DDoS attack. Amplification works by sending DNS requests with a fake source IP address so that a server is overwhelmed by requests and cannot take any legitimate requests.

  • DNS Flood- Another type of DDoS DNS attack. This sends multiple requests to a DNS server to overwhelm it. The main difference between amplification and flooding is that flooding uses legitimate queries while amplification uses fake queries.

why is DNS important for network traffic monitoring?

We can use DNS queries to understand user behaviour. By analyzing DNS queries we can identify what websites network users are visiting. To monitor a network effectively you should focus on looking at:

  • IP addresses- make sure there is no mismatch between IP addresses

  • SOA Records- ( start of authority) The serial number is altered whenever there is a change in your DNS entry. The SOA record specifies the primary name server for the domain and provide essential information about the domain and its management.

  • MX and SRV records- MX (mail servers) are used to specify the mail servers responsible for the handling email for a specific domain. SRV servers are responsible for the general location of a particular server.

  • NS records and root servers- ( name server records) point to the authoritative name servers for a domain. and root servers were specified earlier.

Why are these important to monitor specifically? It means you can be more informed of potential issues that can compromise your DNS server and in other case of attacks have a more informed response.

recon with DNS monitoring

One of the easiest ways to find out records regarding a website, is using Google Dig.

Dig (DNS lookup) (googleapps.com)

We can also use the ‘whois’ tool in linux to find out the websites information.

puxnet
Previous

Multi-threading in python
Next

Ports and protocols