BIPI
BIPI

DNS Logs Are the Highest-Signal Data Source Most SOCs Aren't Using

Cybersecurity

Almost every attack touches DNS. Domain generation algorithms, C2 callbacks, exfil, and lateral movement all leave DNS fingerprints. Yet DNS logs are the data source most likely to be discarded for cost reasons. That's the wrong trade.

By Arjun Raghavan, Security & Systems Lead, BIPI · January 19, 2024 · 7 min read

#dns#detection#threat-hunting

A telco SOC manager told me in 2023 that they dropped DNS logs from their Splunk ingestion to save 4TB/month in licensing. Two months later they had a Cobalt Strike beacon in their network that their EDR missed. Threat hunting from EDR alone took them 11 days to find it. The DNS logs, which they no longer had, would have shown the C2 lookup pattern on day one.

DNS is the most frequently-touched protocol in any modern attack. Initial access malware does a DNS lookup to find its C2. Lateral movement uses internal DNS for service discovery. Data exfiltration to cloud services starts with a DNS query. Even fully air-gapped malware does DNS to confirm internet connectivity. Drop DNS logs and you blind a SOC's most productive sensor.

What to Log and Where

The minimum useful DNS log record contains: timestamp, client IP, query name, query type, response code, response data, and the upstream resolver if forwarded. Most enterprise resolvers, Microsoft DNS, BIND, Unbound, Infoblox, can produce this format directly. Cloud-managed services like AWS Route 53 Resolver and Cloudflare Gateway publish logs to S3 or Splunk-compatible endpoints.

If volume is the constraint, log queries from clients (recursive resolver queries) and skip the responses. Or log everything but downsample by hashing the (client, domain) pair and only keeping 1 in N when the cardinality is low. A 4TB/month ingestion can usually compress to 800GB-1.2TB without losing meaningful detection capability.

Detections Worth Building

  • Newly-registered domain (NRD) lookups, block or alert on any domain registered in the last 30 days
  • DGA scoring, train a classifier on character n-grams and entropy; flag high scores
  • DNS lookups from non-browser processes, combine with EDR telemetry
  • Single-client high cardinality, one workstation looking up 1000 unique subdomains in an hour is tunneling
  • Off-hour DNS spikes, backups and updates have patterns; deviations matter
  • Lookups to TLDs you've never seen, .top, .xyz, .ru pulled from a workstation that normally queries .com and .net

DGA detection is the highest-value research project a SOC can invest in. Conti, Qakbot, and Emotet all used DGA-style C2 in 2023. A character-level LSTM trained on Alexa top-100K plus a labeled DGA dataset (Bambenek Consulting publishes one) gets to 95%+ accuracy. The model fits in 30MB and scores queries at line rate. Detection-as-code repos like Stratosphere IPS have working examples.

Passive DNS for Pivoting

When you find one bad domain, passive DNS shows you the others. Farsight DNSDB (now DomainTools), VirusTotal, PassiveTotal, and Mnemonic each maintain massive passive DNS datasets, historical records of which IPs hosted which domains at which times.

Workflow: incident finds C2 domain badthing.example. Query passive DNS for badthing.example. Get back three IPs it resolved to in the last 90 days. Query passive DNS for each IP. Get back 47 other domains that pointed at those IPs. Filter for newly-registered or otherwise suspicious. Now you have a campaign fingerprint instead of a single IOC.

The Cost Conversation

Telling the CFO that DNS log retention is cheaper than not detecting a ransomware operator is a hard sell until after the incident. The numbers that help: average dwell time without DNS visibility is 21 days according to Mandiant M-Trends; with DNS visibility on top 25 ATT&CK techniques it drops to under 7 days; cost of one ransomware incident in the mid-market range averages $1.85M according to Sophos State of Ransomware 2023.

Retention budget that buys you 6 months of full DNS logs and pays for the SIEM ingestion is on the order of $50K-150K/year for a mid-size enterprise. That's risk reduction with measurable ROI.

Start Smaller If You Have To

If full DNS logging is politically impossible, start with three high-value queries: NRD lookups, DGA-scored lookups above threshold, and lookups to TLDs in your block list. Those three alerts alone catch most commodity malware. Once the SOC has wins to point to, expanding ingestion is an easier conversation.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.