Contents:
DNS logging is the process of gathering detailed data on DNS traffic (all DNS information that is sent and received by the DNS server), usually to help network administrators resolve DNS errors or, especially in cybersecurity, to identify and mitigate threat actors’ attempts to attack the DNS infrastructure.
In this article, we will have a closer look at DNS logging, how it works, ways to enable it, and why it plays such an important role in today’s cybersecurity landscape.
Read on to learn more about:
- The purpose of DNS logging
- What is a DNS log & what kind of data it stores
- How DNS logging can help identify DNS attacks
- How to enable DNS logging
- Leveling up your DNS security
What’s the purpose of DNS logging?
DNS logging is fundamental in monitoring network security because it helps discover DNS attacks in ‘real-time’ and thus allows blocking them before they get the chance to endanger your computer system.
Every time you visit a new website or send an email, your computer will send a DNS request and go through what is called a DNS resolution (the process of translating an IP address into a domain name).
DNS logging can help you monitor the data exchanged during the resolution and spot threats such as malicious URLs or emails from known phishing domains, malicious command-and-control (C2) domains, or Typosquatting domains.
What is a DNS log?
The DNS log is a file, usually in .txt format, that contains highly detailed data on all DNS information sent and received by the DNS server.
What kind of data could DNS logs show?
- Queried domain name. With this information, network administrators can check whether a domain name in a request matches one on a list of known malware domains. Unusual domain names or repetitive lookups could signal a malware presence.
- IP Addresses. On a local network, administrators can use source addresses to detect devices that may have been compromised, and on the public Internet, they can use them to identify threat actors.
- Record requested. Even the type of record requested could be a sign of malicious activity. Text records (.TXT), in particular, are frequently used for command-and-control (C2) attacks as well as for DNS tunneling.
- Request flags. A DNS message has numerous status flags, ex: whether it is a request or response, whether the query is recursive, DNS security (DNSSEC) status and so on.
What are 3 common types of DNS attacks that can be identified using DNS logging?
DNS hijacking
During a DNS hijacking attack, the attacker manipulates a query’s resolution, maliciously redirecting it to a server under their control.
This allows hackers to deceive unsuspecting users into visiting a compromised website, which could lead to getting access to users’ credentials, pharming, employing malware, or even releasing a hacked version of the website (defacement).
DNS tunneling
When employed maliciously, DNS tunneling is a method of attack in which data is passed through DNS queries.
Cybercriminals use this technique to spoof content and evade filtering or firewall detection, as well as to stealthily send data via networks that would normally restrict such traffic.
DoS attacks
DNS servers can be attacked by a variety of distinct DoS attacks, the most common of which are the NXDOMAIN, Phantom Domain, and Domain Lock-Up attacks. Hackers’ ultimate goal in each of these instances is to overload the target server to the point where it can no longer process legitimate requests.
If you want to learn more about DNS exfiltration & infiltration, check out this video:
How can you enable DNS logging?
One way to enable DNS logging would be via your operating system – the ‘Enhanced DNS logging and diagnostics’ feature is available by default beginning with Windows Server 2016. There are three types of Windows DNS logging:
Audit DNS logging: DNS audit logs are enabled by default and do not affect DNS server performance considerably. These are generated in the Microsoft-Windows-DNS-Server/Audit log in the Windows Event Log.
Analytical DNS logging: high-performance logging of all DNS transactions is provided by DNS analytical logging using the Event Tracing for Windows (ETW) facility. You can retrieve the logs from the Microsoft-Windows-DNS Server provider. The performance of the DNS server shouldn’t be impacted unless query volumes are really high. For more details, see DNS Logging and Diagnostics on Microsoft.
Debug logging: “Debug logging” can be enabled to record DNS queries and replies to a log file for Windows DNS Server versions previous to Windows Server 2012 R2 or on 2012 R2 without update 2956577. The performance of the DNS Server may be impacted by this type of logging, which is meant to be used only temporarily. However, DNS debug logging is the only option to gather DNS transaction data from Windows DNS Server if analytical logging is not supported.
Another way to enable DNS logging would be, of course, to rely on expert help. You can choose a professional solution, tailored to your needs, that helps you or your company stay safe against DNS attacks, using DNS logging among other top-of-the-line threat-hunting tools.
How Can Heimdal® Help?
As I mentioned above, you can always trust the experts at Heimdal when it comes to keeping you or your company protected against cybersecurity threats.
Heimdal DNS security is a revolutionary solution that integrates cybercrime intelligence, machine learning, and AI-based prevention to predict and prevent future threats with remarkable accuracy (96%).
Heimdal® DNS Security – Endpoint is built on the DarkLayer Guard engine, the world’s most advanced endpoint DNS threat hunting tool, and has Threat to Process Correlation technology, that enables you to identify processes, users, URLs, and attacker origins used to enter your network.
The DarkLayer Guard Engine works in tandem with VectorN Detection AI-based traffic pattern recognition engine to provide HIPS/HIDS and IOA/IOC capabilities as well as detect hidden malware independent of code and signatures.
Heimdal® DNS Security Solution
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
Wrapping up
DNS logging is a great network security monitoring practice if you want to keep a close eye on your DNS traffic. DNS activity and logs are great places to look if you’re an IT professional searching for unusual traffic patterns that could reveal potential indicators of compromise. Logs hold vital information that can keep you protected against DNS attacks, so be wise and monitor them regularly!
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.