DNS mitigations
Threat | Mitigation |
---|---|
Cache Poisoning | DNSSEC, DNS query logging |
Unauthorized DNS Servers | Firewall whitelisting, NAC |
Malicious Domains | pDNS, Threat Intelligence Feeds |
DNS Exploits | IDS/IPS rules (Snort/Suricata) |
Rogue DNS Servers | Network scanning (nmap), Firewall blocking |
DNS Server audit trails & logging
Enable detailed DNS query logging on all resolvers (like BIND, Unbound, Windows DNS).
Example (BIND named.conf):
logging {
channel query_log {
file "/var/log/named/queries.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
category queries { query_log; };
};
Monitor logs for anomalies (e.g., unexpected domains, unusual query volumes).
Use tools like dnstop or dnsmon for real-time DNS traffic analysis.
Whitelist valid DNS servers
Create a firewall whitelist of allowed DNS resolvers (like internal DNS + trusted public DNS like 1.1.1.1, 8.8.8.8).
Examples (Linux iptables):
iptables -A OUTPUT -p udp --dport 53 -j DROP # Block all outgoing DNS
iptables -A OUTPUT -p udp --dport 53 -d 1.1.1.1 -j ACCEPT # Allow Cloudflare
iptables -A OUTPUT -p udp --dport 53 -d 8.8.8.8 -j ACCEPT # Allow Google
Use NAC (Network Access Control) to enforce DNS server restrictions.
DNSSEC (DNS security extensions)
Prevents cache poisoning by cryptographically signing DNS records.
Enable DNSSEC on your resolver:
BIND (named.conf):
options {
dnssec-validation auto;
};
Unbound (unbound.conf):
server:
module-config: "validator iterator"
Verify DNSSEC validation:
dig +dnssec example.com
Block malicious DNS exploits
Firewall rules to block known malicious DNS patterns (like DNSChanger, OSX/MaMi).
Example (Suricata IDS rule):
alert dns any any -> any any (msg:"DNS Exploit Attempt"; content:"|6d 61 6d 69|"; nocase; sid:1000001; rev:1;)
Use threat intelligence feeds like AlienVault OTX, Cisco Talos, to block malicious domains.
Monitor & detect suspicious DNS activity
Traffic Analyzer Scripts like Python + dpkt):
import dpkt, socket
def analyze_dns(pcap):
for ts, buf in pcap:
eth = dpkt.ethernet.Ethernet(buf)
if isinstance(eth.data, dpkt.ip.IP):
ip = eth.data
if isinstance(ip.data, dpkt.udp.UDP):
udp = ip.data
if udp.dport == 53: # DNS queries
dns = dpkt.dns.DNS(udp.data)
print(f"Query: {dns.qd[0].name}")
Passive DNS Replication (pDNS)
Use tools like dnstap or passivedns to log historical DNS data.
Helps track newly registered malicious domains.
Intrusion Detection Systems (IDS) for DNS
Snort/Suricata rules for DNS anomalies:
alert udp any any -> any 53 (msg:"Suspicious DNS Query"; content:"|00 01 00 00|"; depth:4; sid:1000002;)
Zeek (Bro) DNS monitoring:
zeek -i eth0 -C dns.log
Logs all DNS queries for later analysis.