dns_layer_ecosystem_crop

5 DNS Layer Actions to Fight Malware

Share on twitter
Share on linkedin
Share on email
Proper cybersecurity begins with layers and monitoring the DNS layer will give you a better position for insuring a healthy and safe network. Here are 5 actions you can take to improve your security profile.

Create Firewall Rules for Central DNS Control

If your network lacks firewall rules on allowed DNS resolvers, you are allowing client devices on your network to request resolution from potentially malicious sources. You are also missing out on the central data collecting and reporting required to effectively monitor and troubleshoot DNS activity. Finally, if you use DNS for content filtering, users can bypass the DNS filters by simply changing their DNS IP. Setting  traffic rules for port 53 and classifying allowed resolvers will give you better control and enable deeper insight of your network.

Filter TLDs

There are over 1500+ top level domains in today’s internet. And while almost half of known internet threats come from the most popular TLDs like .com or .net, nearly half originate from lesser knowns like .cf  or .gq. The vast majority of business use case domains are generally within 10-15 or less TLDs. Managing what top level domains you allow on your network can effectively eliminate nearly half of the known threats, and certainly even more of the unknown threats.

Filter Known Malicious Domains

This goes without saying however, many organizations still rely solely on endpoint level internet safety controls. When it comes to defense tactics, more is better. Proper security uses layers, and since 95% of all malware interacts at the DNS layer, using DNS filtering to stop known malicious domains keeps badware out before even reaching your endpoints.

Monitor Record Types in Requests

There are over two dozen DNS record types, but most end users will legitimately use only a handful for their daily web use such as A records, CNAME, etc. And while advanced DNS threats like tunneling often used for data exfiltration can use CNAME records, they are most dangerous over higher payload message allowing types such as NULL and TXT. Keeping an eye on your record type counts can help track down potentially malicious activity. NULL record types should be blocked exclusively on all networks and excessive TXT records that do not contain valid SPF use data should be further explored.

Know Your Baseline Stats

It’s good practice to understand your everyday DNS traffic levels so you can easily identify anything outside the norm.  Sudden increases in queries per second or high level of NXDOMAIN spikes can indicate possible malware, command and control, and other botnet level activity. Be sure your network tools include good DNS layer analysis. Here at SoutDNS we are committed to providing network operators best in class insight and DNS layer analysis so they can better understand their networks and keep them safe. It’s just another way we improve recursive DNS management.

More To Explore

REvil C2 Domains

Kaseya REvil C2 Domain List

The number of infected devices and networks from the Kaseya REvil supply chain attack continue to mount. We have parsed out the complete list of domains

Have any questions? Just Ask