How To Detect Unauthorised DNS Servers On Your Network
Why worry about unauthorised DNS servers?
DNS remains a vital part of computer networking. The foundation of DNS was laid in 1983 by Paul Mockapetris, then at the University of Southern California, in the days of ARPAnet, the U.S. Defense Department research project that linked computers at a small number of universities and research institutions and ultimately led to the Internet. The system is designed to work like a telephone company’s 411 service: given a name, it looks up the numbers that will lead to the bearer of that name.
DNS was never designed as a very secure protocol and it is popular target for attackers. There are two ways DNS can be hacked: by using protocol attacks (attacks based on how DNS is actually working) or by using server attacks (attacks based on the bugs or flaws of the programs or machines running DNS services).
One of the more recent protocol attacks was the DNSChanger malware. It typically changes DNS server settings on infected computers, allowing attackers to route internet traffic through malicious servers and intercept sensitive information. There is also a similar variant targeting Apple Mac computers dubbed OSX/MaMi, an unsigned Mach-O 64-bit executable.
In both of these cases the attackers change your DNS server from 184.108.40.206 (Google) for example to one of their own DNS servers. Most of your DNS queries will be handled correctly and you will get correct IP addresses. However, for certain site like banking the attackers will direct you to a mocked up website which looks like a valid banking one. You logon details are captured once you start to interact with the site and these are then used to steal your money.
Detecting unauthorised DNS server use with LANGuardian
Our LANGuardian product includes both a DNS traffic decoder and an number of alerting features which you can use to track down unauthorised DNS server use. The image below shows an example of the DNS traffic decoder. Here we can see how LANGuardian can build up an inventory of all DNS servers and client queries to them.
Having a DNS audit trail like this will also give you the data you need to investigate other DNS issues such as cache poisoning.
How to generate alerts if a device uses an unauthorised DNS server
LANGuardian includes a customizable alerting engine where you can define whitelists of valid servers and get alerts if users try an access others. For the purposes of this example we are going to create a DNS whitelist containing these servers:
- 192.168.127.22 (hosted internally on network)
- 220.127.116.11 (google1)
- 18.104.22.168 (google2)
We then use the LANGuardian alerts configuration option to create a DNS alerting rule which would trigger if queries to other servers are detected. The screenshot below shows an example of this.
Once the rule is saved it will look like this on the LANGuardian alerts list.
Once the unauthorised DNS server alert is triggered, LANGuardian will capture certain DNS metadata like source and destination IP addresses, country where DNS server is registered and the domain names that were queried. The image below shows an example of what the alerts look like.
These alerts can also be exported as SYSLOG so that they can be processed by a blocking device such as a firewall or NAC (Network Access Control) system.
How to monitor DNS traffic
One of the best ways to monitor DNS traffic is to port mirror traffic going to and from your local DNS servers and all Internet traffic. Monitoring Internet traffic is crucial so that you can pick up on devices using external DNS servers so it is really easy to monitor network traffic on your network. Most managed switches support SPAN or mirror ports. If you have a switch that does not have any traffic monitoring options there are many alternatives for SPAN ports. The video below shows the steps needed to monitor Internet traffic and you should extend this to also monitor local DNS servers.