There are few things more important to the operation of the Internet than the Domain Name System (DNS). Internet users rely on the DNS to identify the names of websites they want to visit, but browsers communicate with websites via their IP addresses. While DNS is invaluable to the Internet community, it is not without vulnerability.
Attackers are using DNS for data theft, denial-of-service, and other malicious activity. Proactive monitoring of DNS activity can help network administrators quickly detect and respond to these threats. When the Domain Name System was designed, security was not a major consideration. Now, malicious actors are using DNS for data theft, denial-of-service attacks, command-and-control, and other malicious activity.

Proper DNS logging provides your security team with extra advantages like:

  • Reduce breach impact by finding the bad guys faster on your SIEM
  • Reduce SOC / alert fatigue with personnel
  • Achieve investigation efficiency by reducing DNS noise
  • Reduce the cost of DNS security and increase efficiency through centralizing the DNS logs via centralized log collection
  • Reduce the cost of storage and processing of DNS logs such as being able to forward to multiple routes and endpoints
  • Take care of GDPR and other compliance obligations, which when found to break compliance results in hefty fines
  • Enables correlation, makes acting and alerting quicker

Attackers are still abusing DNS in 2020

DNS hijacking

In March 2020, Bitdefender released a report on how attackers have taken advantage of the coronavirus pandemic to try to spread malware via DNS hijacking.

DNS tunneling

Many types of client malware make use of DNS tunneling, including point of sale (PoS) malware like MULTIGRAIN, remote backdoors such as DNSMessenger and DNSpionage, and botnets like JAKU.

DoS and DDoS attacks

All industries are affected by DoS and DDoS attacks. For example, Mirai botnet variants have been targeting mainly media/information services and insurance industries according to IBM X-Force. And in March 2020, there have been coordinated campaigns such as DDoS attacks on health entities such as the US Health agency .

DNS Infrastructure Hijacking Attack

While more related to infrastructure than the protocol itself, a DNS infrastructure hijacking can be extremely damaging to the organization - stealing of user credentials, tampering of DNS records, manipulating DNS records for key servers, compromise of authoritative records leading to further attacks.

DNS use in APT groups

What do APT threat groups like APT41, APT18, APT32, APT1, Cobalt Group, etc specializing in targeting multiple industries including healthcare, telecom, technology, financial and more worldwide have in common? They all abuse DNS. For example, FireEye research shows APT41 used DNS for C2 communications.

By proactively monitoring DNS audit logs and query traffic, IT personnel can more quickly identify and respond to a DNS attack, reducing its impact.
Contact us to learn more about secure DNS log collection

How NXLog Enterprise Edition can help with DNS monitoring

NXLog Enterprise Edition provides several unique features for collecting and processing DNS logs:

Native ETW collection

Parsing of DNS debug logs

Multiple types of Windows Event Log collection

File integrity monitoring

Output integrations

Parsing and structured logging

Log collection infrastructure with NXLog

NXLog offers seamless integration and acts as a bridge between log sources and different output systems
For more on NXLog schedule a personal meeting with one of our professionals

DNS log collection and forwarding to SIEMs and LMs

Whether it is for threat hunting or threat intelligence, all these and more are improved with wider log collection coverage.
Instead of relying on two Beats (Filebeat and Winlogbeat), use just one NXLog configuration instance as the log collector for both Linux and Windows DNS Servers.
NXLog can be configured as a collector for Graylog, by acting as a forwarding agent on the client machine and sending messages to a Graylog node.
Collect and forward DNS logs to IBM Security QRadar SIEM and utilize their analytics, correlation rules and dashboard features. See the IBM PartnerWorld Global Solutions page.
NXLog is a Technology Alliance partner with Splunk. Collect DNS logs from Windows and Linux, and forward to Splunk products including Splunk Enterprise and Splunk Cloud.
Normalize DNS logs to CEF. A Partner Product of choice with RSA NetWitness, NXLog is part of the RSA Ready Technology Partner network. See the RSA Integrations page.
Use NXLog to collect DNS logs for Microsoft DNS, and other raw logs such as BIND 9 logs, and forward to Rapid7 InsightIDR.
Part of the McAfee Security Innovation Alliance Partner Directory. Set up centralized DNS log collection for processing with the McAfee Enterprise Security Manager SIEM Suite.
Generate and parse data in the Common Event Format (CEF) used by ArcSight products including Enterprise Security Manager (ESM).
FireEye Threat Analytics Platform integration with NXLog allows to correlate indicators against FireEye Threat Intelligence.
Securonix is a provider of SIEM and EUBA solutions for cyber-threat detection. Part of the Securonix Fusion Partners Directory.