Unauthorized DNS Server Usage

Simplified Version

So, you are lost. Do you ask the first person you see for directions or do you look for someone trustworthy? Well, unauthorized DNS servers are the difference between you asking a police officer for directions as opposed to the gentleman doing weird handshakes for cash on the corner. The gentleman may not point you in the right direction, then again he may, are you willing to take the risk?

Problem

How do we validate the systems in the environment are not attempting to utilize unauthorized DNS servers?

Business Justification

Bypassing authorized DNS servers puts the organization at risk of malicious domains being resolvable allowing malware droppers to attain malicious packages and infect corporate assets. This also bypasses capabilities to blackhole malicious domains.

Requirements

Firewall, NetFlow, or Windows Platform Connection Filtering Logs.

List of authorized DNS servers.

Detection Logic

Look for traffic going to destination port 53 to destination IPs not in your authorized DNS server list.

Resolution

Once systems are identified, either update the IP address of the domain name server if the system is statically assigned an IP addresses, or verify the DHCP server is properly assigning the correct DNS server IP.

Leave a Reply