Analyzing Enterprise DNS Traffic to Classify Assets and Track Cyber-Health

TL;DR

This paper presents passive analysis techniques to identify, classify, and monitor organizational DNS assets and their security health, addressing the widespread lack of visibility into DNS infrastructure in large organizations.

Contribution

It introduces a comprehensive analysis of enterprise DNS traffic, a novel unsupervised clustering method for asset classification, and continuous health monitoring to detect security issues.

Findings

Successfully classified over 100 DNS assets across two organizations.

Identified improper configurations and security incidents such as data exfiltration and DDoS attacks.

Demonstrated the effectiveness of passive analysis for enterprise DNS security monitoring.

Abstract

The Domain Name System (DNS) is a critical service that enables domain names to be converted to IP addresses (or vice versa); consequently, it is generally permitted through enterprise security systems (e.g., firewalls) with little restriction. This has exposed organizational networks to DDoS, exfiltration, and reflection attacks, inflicting significant financial and reputational damage. Large organizations with loosely federated IT departments (e.g., Universities and Research Institutes) often do not even fully aware of all their DNS assets and vulnerabilities, let alone the attack surface they expose to the outside world. In this paper, we address the "DNS blind spot" by developing methods to passively analyze live DNS traffic, identify organizational DNS assets, and monitor their health on a continuous basis. Our contributions are threefold. First, we perform a comprehensive analysis of all DNS traffic in two large organizations (a University Campus and a Government Research Institute) for over a month, and identify key behavioral profiles for various asset types such as recursive resolvers, authoritative name servers, and mixed DNS servers. Second, we develop an unsupervised clustering method that classifies enterprise DNS assets using the behavioral attributes identified, and demonstrate that our method successfully classifies over 100 DNS assets across the two organizations. Third, our method continuously tracks various health metrics across the organizational DNS assets and identifies several instances of improper configuration, data exfiltration, DDoS, and reflection attacks. We believe the passive analysis methods in this paper can help enterprises monitor organizational DNS health in an automated and risk-free manner.