In a previous article, “Internal DNS monitoring & restrictions”, we discussed how cyber-criminals are using poisoned DNS servers and used IP Addresses to carry out Pharming attacks. Instead of hacking a web server and putting a phishing page on the server, the criminals can configure a malicious DNS server and redirect the user to a different, malicious IP Address.
According to the end-user’s web browser, they are at the correct site, but in the background, they are actually at a different IP Address (controlled by the hacker).
The following article explains why businesses shouldn’t take DNS Server logs for granted.
How important is it to monitor DNS logs?
Some businesses do not have a process where they monitor their DNS traffic despite it being the source of many attacks. The DNS protocol has been around for a very long time, and most businesses think that it is just used for Domain Names, however, this is not the case anymore. For example, DNS records are frequently used by software to check licences. Most companies are concerned about outside attacks, such as hijacking or phishing, but the DNS does not just provide information like, “What did that person visit on the Internet?” DNS underpins all your online services and companies need to strengthen their focus on it.
By actively monitoring DNS logs you can detect unusual activity, and get a notification that your DNS is doing something it’s not supposed to do. Maybe it’s been poisoned and being used for malicious activity.
That is why it is so important for companies to monitor their DNS. Monitoring tools such as Security Information Event Management (SIEM) correlate logs from all devices, and create intelligence. For example, if you log into your computer and type your password incorrectly once, it is not a problem. However, if the same user, in less than 3 minutes, tried to log into different computers at the same time, then that is a red flag. Every log entry independently could mean nothing, but when combined with other logs that have the same date and time stamp, it could reveal a problem that needs investigating.
SIEM tools allow you to hear from all of your devices simultaneously. The logs from your Database, Firewall, Web Server and DNS can be viewed in an instance, so you can see the big picture. If an employee visits a URL, traffic goes through your firewall, however, your firewall does not manage DNS, it manages IP Addresses; DNS manages Domains; Web Filter manages content of the web page. What if “BestAustralianHoliday.com” was a porn site? The name doesn’t suggest that it is porn and you probably don’t know the IP Address, but if you were to combine the web content log, the DNS log and the log from your Firewall, you would know that the employee is using the Internet for porn. Individual logs won’t give you enough information, but when they join forces, you get the whole story.