NetFort Advertising

How To Detect Unauthorised DNS Servers On Your Network

Detecting unauthorized DNS servers to prevent DNS poisoning

Why worry about unauthorised DNS servers?

DNS remains a vital part of computer networking. The foundation of DNS was laid in 1983 by Paul ­Mockapetris, then at the University of Southern California, in the days of ­ARPAnet, the U.S. Defense Department research project that linked computers at a small number of universities and research institutions and ultimately led to the Internet. The system is designed to work like a telephone company’s 411 service: given a name, it looks up the numbers that will lead to the bearer of that name.

DNS was never designed as a very secure protocol and it is popular target for attackers. There are two ways DNS can be hacked: by using protocol attacks (attacks based on how DNS is actually working) or by using server attacks (attacks based on the bugs or flaws of the programs or machines running DNS services).

One of the more recent protocol attacks was the

In both of these cases the attackers change your DNS server from 8.8.8.8 (Google) for example to one of their own DNS servers. Most of your DNS queries will be handled correctly and you will get correct IP addresses. However, for certain site like banking the attackers will direct you to a mocked up website which looks like a valid banking one. You logon details are captured once you start to interact with the site and these are then used to steal your money.

Detecting unauthorised DNS server use with LANGuardian

Our LANGuardian product includes both a DNS traffic decoder and an number of alerting features which you can use to track down unauthorised DNS server use. The image below shows an example of the DNS traffic decoder. Here we can see how LANGuardian can build up an inventory of all DNS servers and client queries to them.

A LANGuardian report showing unauthorised DNS server use

Having a DNS audit trail like this will also give you the data you need to investigate other DNS issues such as cache poisoning.

How to generate alerts if a device uses an unauthorised DNS server

LANGuardian includes a customizable alerting engine where you can define whitelists of valid servers and get alerts if users try an access others. For the purposes of this example we are going to create a DNS whitelist containing these servers:

  • 192.168.127.22 (hosted internally on network)
  • 8.8.8.8 (google1)
  • 8.8.4.4 (google2)

We then use the LANGuardian alerts configuration option to create a DNS alerting rule which would trigger if queries to other servers are detected. The screenshot below shows an example of this.

Unauthorised DNS servers alert configuration

Once the rule is saved it will look like this on the LANGuardian alerts list.

LANGuardian DNS Alert Rule

Once the unauthorised DNS server alert is triggered, LANGuardian will capture certain DNS metadata like source and destination IP addresses, country where DNS server is registered and the domain names that were queried. The image below shows an example of what the alerts look like.

A list of unauthorised servers detected on the network using network traffic analysis

These alerts can also be exported as SYSLOG so that they can be processed by a blocking device such as a firewall or NAC (Network Access Control) system.

How to monitor DNS traffic

One of the best ways to monitor DNS traffic is to port mirror traffic going to and from your local DNS servers and all Internet traffic. Monitoring Internet traffic is crucial so that you can pick up on devices using external DNS servers so it is really easy to monitor network traffic on your network. Most managed switches support SPAN or mirror ports. If you have a switch that does not have any traffic monitoring options there are many alternatives for SPAN ports. The video below shows the steps needed to monitor Internet traffic and you should extend this to also monitor local DNS servers.

Find Out What DNS Servers Are In Use On Your Network

Use the deep packet inspection engine of LANGuardian to report on what DNS servers are in use on your network. Real time and historical reports available. No need to install any agents or client software.

  • See what DNS servers are in use
  • Generate alerts if  a network device uses an unauthorised DNS server
  • Capture DNS metadata so you can troubleshoot DNS issues and perform forensics on past events.

All analysis is done passively using network traffic analysis and you will see results within minutes.