DNS Requests, Traffic, and Analysis Explained with Real-World Examples

The Domain Name System (DNS) is often referred to as the “phonebook of the internet.” It translates human-readable domain names, like www.example.com, into IP addresses that computers use to identify each other on the network. Understanding how DNS requests work, analyzing DNS traffic, and detecting abnormalities can reveal crucial insights into network activity and help secure an organization’s infrastructure. In this article, we will dive into DNS requests, traffic analysis, and practical real-world examples to illustrate these concepts.

What is DNS and How Does It Work?

DNS is a decentralized system that enables users to access websites and services on the internet without memorizing numerical IP addresses. It follows a hierarchical structure of domain name resolution:

  1. DNS Query Initiation: When a user types a domain name (e.g., example.com) in a browser, the request is first sent to a DNS resolver, typically provided by an Internet Service Provider (ISP).
  2. Resolver Checks Cache: The resolver checks its cache for the requested IP address. If it’s not found, the resolver sends the query to other DNS servers.
  3. Recursive Query to Root Server: If necessary, the resolver queries a root DNS server, which directs the resolver to the appropriate top-level domain (TLD) server (e.g., .com, .net).
  4. TLD Server Query: The resolver then contacts the TLD server, which responds with the address of the authoritative DNS server for the domain.
  5. Authoritative DNS Server: Finally, the authoritative DNS server returns the IP address corresponding to the domain name. The resolver caches this address and sends it back to the user’s device, allowing the browser to connect to the website. This process is seamless and happens within milliseconds.

 

DNS Traffic: What is It?

DNS traffic refers to the data generated by DNS queries and responses as they traverse the network. DNS traffic usually takes the form of either UDP (User Datagram Protocol) or TCP (Transmission Control Protocol) packets.

  • UDP: The majority of DNS queries use UDP due to its lightweight nature, as it doesn’t require a connection setup and is faster for most simple queries.
  • TCP: DNS queries larger than 512 bytes or involving more complex transactions use TCP, which ensures data delivery through acknowledgement and retransmission.

The Importance of DNS Traffic Analysis

DNS traffic analysis plays a vital role in cybersecurity. By analyzing DNS traffic, security professionals can:

  1. Identify Malware Activity: DNS is often leveraged by malware to communicate with Command-and-Control (C2) servers. Monitoring DNS requests can reveal compromised hosts attempting to contact these servers.
  2. Detect Data Exfiltration: Malicious actors can use DNS tunnelling to exfiltrate sensitive data, bypassing network defences. DNS tunnelling encodes data within DNS requests, making it harder to detect without careful analysis.
  3. Spot DDoS Attacks: Attackers may flood DNS servers with a high volume of requests, overwhelming them in Distributed Denial of Service (DDoS) attacks. By analyzing traffic spikes, network defenders can mitigate these attacks.
  4. Optimize Performance: DNS traffic analysis can reveal latency issues and improve the speed of domain resolution, leading to better user experience and more efficient network management.

Real-World Example 1: DNS Tunneling Detection

DNS tunnelling is a technique used by attackers to tunnel non-DNS traffic through DNS, allowing data transfer between a victim’s machine and a malicious server. This type of attack can bypass firewalls that filter outbound HTTP or HTTPS traffic but allow DNS traffic.

In one real-world scenario, researchers identified a DNS tunnelling attack wherein an attacker encoded sensitive data within DNS queries. The attack was detected when unusually long DNS queries (which typically indicate suspicious behaviour) were observed in network traffic. Upon investigation, it was discovered that the DNS requests were directed to a malicious domain, which acted as the attacker’s C2 server. The company’s security team used DNS traffic analysis to block the malicious domain and isolate the infected machine, preventing further data leakage.

Real-World Example 2: DDoS Attack via DNS Amplification

A DNS amplification attack is a type of DDoS attack where attackers exploit open DNS resolvers to flood a target system with amplified traffic. In a DNS amplification attack, the attacker sends small queries with spoofed IP addresses (the target’s IP address) to a DNS resolver. The resolver then sends a much larger response back to the target, overwhelming it with traffic.

A notable example of such an attack occurred in 2018, when a large-scale DNS amplification attack targeted GitHub, one of the world’s largest code-hosting platforms. Attackers exploited the DNS resolvers, sending an overwhelming amount of traffic to GitHub’s servers, causing downtime. Cloudflare and other content delivery networks mitigated the attack by analyzing DNS traffic and redirecting malicious traffic away from the target.

DNS Analysis Tools

There are several tools that can be used to analyze DNS traffic and detect anomalies:

  1. Wireshark: A widely-used network protocol analyzer, Wireshark can capture and inspect DNS traffic in real-time. It allows cybersecurity analysts to filter DNS requests and responses, identify abnormal patterns, and track down malicious activity.
  2. Zeek (formerly Bro): Zeek is a network monitoring tool that provides comprehensive logs of DNS traffic. It’s especially useful for detecting long-term trends and anomalies that might indicate a security breach.
  3. Splunk: Splunk is a data analytics platform used for security information and event management (SIEM). It can ingest DNS logs and allow users to create dashboards, detect malicious domains, and automate threat detection workflows.
  4. OpenDNS: This service offers DNS security by blocking malicious domains based on real-time threat intelligence. It’s commonly used to prevent malware infections and mitigate DNS-based attacks.

Key Metrics in DNS Traffic Analysis

DNS traffic analysis involves monitoring various metrics to detect potential threats:

  1. DNS Query Volume: A sudden spike in DNS queries from a single host or across the network could indicate malicious activity, such as malware communicating with a C2 server.
  2. Unusual Domains: Anomalies in domain requests, such as requests for non-existent or randomly generated domain names, may signal domain generation algorithms (DGAs) used by malware.
  3. TTL (Time to Live) Values: Abnormally low or inconsistent TTL values can indicate suspicious behavior, as malware often manipulates DNS TTLs to evade detection.

Best Practices for DNS Security

To safeguard DNS traffic and reduce the risk of cyberattacks, organizations should adopt the following best practices:

  1. Use DNSSEC (DNS Security Extensions): DNSSEC adds a layer of security by authenticating DNS responses, preventing attackers from spoofing DNS records.
  2. Monitor DNS Logs: Regular monitoring of DNS logs can provide early warning signs of malicious activity. These logs should be ingested into a SIEM platform for automated analysis.
  3. Block Malicious Domains: Using threat intelligence services to block known malicious domains can help prevent malware from communicating with external C2 servers.
  4. Disable Open DNS Resolvers: Open DNS resolvers can be exploited in DNS amplification attacks. Organizations should configure their DNS resolvers to only accept queries from authorized hosts.

Conclusion

DNS is a crucial component of internet infrastructure, and its traffic holds valuable insights into network behavior. By analyzing DNS traffic, security teams can detect malware, prevent data exfiltration, and mitigate DDoS attacks. The real-world examples of DNS tunneling and amplification attacks demonstrate the importance of monitoring DNS requests and traffic to maintain a secure network. Investing in the right tools and adopting best practices for DNS security will help organizations stay ahead of potential threats.

References:

  1. Halvorsen, E., et al. (2018). “Detecting DNS Tunneling Using Statistical and Machine Learning Techniques.” Journal of Cybersecurity.
  2. Cloudflare. (2018). “The GitHub DDoS Attack: Inside the Largest DDoS Attack Ever.” Available at: https://blog.cloudflare.com.