DNS is the engine that drive the Internet, converting recognizable names into IP addresses behind the scenes. Only recently has the InfoSec community recognized the importance and value of logging DNS traffic and analyzing these logs to detect malicious activity. The development of a variety of open source tools has given network and security admins amazing resources for investigating DNS traffic for signs of improper configuration as well as tell-tale signs of compromise.
This discussion will examine examples of the common ways we see DNS being used to compromise networks including DNS Amplification, data exfiltration, Botnet C&C communication, DDoS via DNS and other less well known DNS exploits. We will then review some of the available open source tools including Graylog, Elasticsearch, Kibana, Packetbeat and NXLog that can be used to proactively log and monitor DNS and other traffic. The discussion will conclude by covering some practical solutions that can easily be implemented to enhance the security of any network. We will demonstrate simple and effective ways to discover compromised devices through DNS log analysis.