DNS Traffic Analysis - Make networks more secure

It's quite easy to overlook the Domain Name System (DNS) and the critical role it plays across the internet and in local intranets. This is largely because, despite our everyday reliance on DNS, it is basically transparent to users and it's taken for granted that it will just work. When an ordinary person opens a web browser and types in something like www.google.com, www.amazon.com, or any other website name and doesn't see the site, it's not unusual to hear something to the effect of "The Internet is broken! "Well…no, the Internet is rarely ever "broken", but it is quite possible that there is an issue with DNS. DNS is increasingly being recognised by security professionals as a potential threat vector for attacking a network as well. DNS was designed in a time where security on the internet wasn't even an afterthought…it was a non-existent thought; the only organisations using the internet at that time were implicitly trusted. DNS is prone to any number of notable exploits that have been leveraging its insecure but ubiquitous nature including redirection of DNS queries and cache poisoning (often to malicious sites), network footprinting (via leakage zone information and reverse queries), denials of service, and even data exfiltration.

DNS information is neither authenticated nor validated (excepting the instances where DNSSEC is employed), so the only way to ensure that DNS is functioning as intended in your organisation is firstly through careful configuration and hardening of your organisations DNS servers. Second, is through careful monitoring of the DNS traffic on the network. Careful monitoring, in turn, requires complete visibility into your network traffic and this is where Cubro Network Visibility can help. Using our comprehensive lineup of high-quality network TAPs (Test Access Points), an organisation will have unfettered access to all the traffic on its network. Cubro's Network Packet Brokers can gather this data for aggregation, replication, and filtering of traffic to monitoring systems and security tools; and that includes the ability to isolate and inspect DNS traffic.

Let's take a look at how analysis of DNS traffic can benefit an organisation.

The DNS is a complex distributed database on which most Internet services rely on. Its monitoring is critical, and it is necessary to continuously monitor DNS traffic for identifying anomalies, measuring performance, and generating usage statistics.
Such analysis of DNS traffic has a significant application within information security and computer forensics, primarily when identifying insider threats, malware, cyberweapons, and advanced persistent threat (APT) campaigns within computer networks.
While a primary driver for DNS Analytics is security, another motivation is understanding the traffic of a network so that it can be evaluated for improvements or optimisation. Leveraging DNS data to detect new Internet threats has been gaining in popularity in the past few years.

DNS has a huge impact on overall network performance. It is the Achille's heel of the web. It is often forgotten, and its impact on performance ignored until it breaks down. The typical problems related to this are:

Low-performance DNS server too many requests delayed answers
Low Time To Live in DNS cache

DNS traffic runs on UDP (or TCP) Port 53 and can be extracted by filtering on Port 53.

All Cubro Packetmasters allow filtering up to OSI Layer 4; all Cubro Sessionmasters allow filtering up to Layer 4 AND beyond! The devices only forward the required traffic to analysis tools and do not overload analysis tools.

Typical Application Scenario

Cubro Packetmaster and Sessionmaster products are the perfect choices to get access to DNS traffic - regardless if traffic is straight such as IPv4, IPv6 or encapsulated like VXLAN, GRE or GTP.

Thank you to Cubro for the article.