The Domain Name System ( DNS ) is known to be one of the most widely abused protocols by threat actors to use in unconventional ways to hide under normal traffic. Apart from threat actors, DNS is being actively used or rather misused by many other service providers, vendors, and so on, to provide the intended services. An in-depth examination of the DNS logs collected over a long period revealed some very interesting legitimate use cases of the DNS protocol by the industry and other players, apart from its normal name resolution service function. We coin the term “Off-label use of DNS” to represent those use cases. Legitimate here simply means using DNS for non-malicious purposes other than what it was traditionally designed for, which is for providing domain resolution; a dictionary service mapping domain names to corresponding IP addresses. One of the main reasons DNS is used, or possibly misused, for these off-label use cases is the speed of data transfer and reduced overhead in terms of bandwidth. These off-label use cases of DNS can often leak important information about the clients and software they are running and can be leveraged in a variety of ways by the network security defenders/analysts to improve their detection on the network. This research will detail some of those legitimate off-label use cases and how they can be leveraged by the analysts to detect malware trends in the network and much more just by analyzing an enterprise's DNS logs.
Read full abstract