Basic DNS Monitoring
DNS is one of the essential internet services. It’s the communicator and concierge of online experiences. Everything, from the web content you browse and the email and chat services you use to social platforms like Facebook and Instagram, depends on DNS functioning on a round-the-clock basis. Given its importance, it’s no surprise hackers and cybercriminals target this essential service.
Employing a robust DNS monitoring strategy is crucial to safeguarding your DNS server. By tracking your DNS performance, you can confirm it routes traffic appropriately and continuously to your services and websites. In addition, DNS monitoring tools can keep track of DNS records and notify you of any unusual activity, changes, or localized outages. Unfortunately, DNS records can be an easy way for hackers because they’re often subject to human errors. These errors create vulnerabilities that can be detected with comprehensive and ongoing monitoring processes.
DNS stands for Domain Name System. It’s essentially the utility responsible for converting simple domain names into IP addresses. For example, Google.com is a user-friendly domain name, being both simple and easy to remember. A computer-compatible IP address, however, might look something like this: 220.127.116.11. Unfortunately, this method isn’t exceptionally user-friendly, which is why we need a DNS to convert it. The IP address allows the browser to access the appropriate server with the content requested by the user.
Monitoring your essential DNS services is not overly complex but requires a bit of knowledge about the workings of DNS and its weak points. By keeping your various DNS records current and accurate many of these ills may be avoided; whilst many will go on and on about how to monitor DNS resolution, I’ll look at other things NOT commonly observed.
SOA records: The SOA record needs to be monitored because the serial number is altered whenever there is a change in your DNS entry. By keeping an eye on the serial number, you’ll know when something has changed, which could help prevent an imminent attack. Most apparent here, domain hijacking. Monitor this externally.
MX records: You can prevent the loss or redirection of any critical communication by monitoring these records. This monitor is key to keeping email systems from being hacked. Monitor this externally.
NS records: You should be testing your NS records to ensure the primary and backup records for the name server aren’t being manipulated. You may also want to conduct tests on name servers to certify they’re delivering the correct data. Again, monitor these internally and externally.
IP addresses: Your monitoring system must inform you if there is a mismatch between IP addresses. When a DNS test query is run, the result is compared to the IP address in the system; an alert is generated if the addresses don’t match. If your system supports both IPv4 and IPv6, you should monitor the A record for IPv4 and the AAAA record for IPv6. Monitor these internally and externally.
Why am I writing this?
Several times in the last six months, I have conducted cleanups of hijacked domains, Business Email Compromises, and Email Access Compromises. The victims could avoid most of these if the essential SOA and MX records were monitored and alerts enabled.
Not wanting to recommend a specific tool or product for any purpose, but I use Paessler PRTG and its DNS v2 sensor to monitor the following items on a per-domain basis:
- APEX record – Where does the lookup for domain.tla point.
- SOA record – Who are the Authorative Name Server(s) for domain.tla.
- MX record – Who recieves email for domain.tla.
- Well Known Services –
- WWW – What is the Web server ip (if any)
- Remote – What is the remote access server ip (if any)
- ???? – Any other externally accessable server, and its IP address