Make sure you read Part 1 of Overview of DNS Protocol before reading this one or you can go back to part 2. At this point, I want to introduce why we wanted to write a 3 part DNS process overview series.

Question: Why a blog on how the DNS process works?
Answer: Because some forms of bots participating in a botnet reach out to C&C servers using DNS methods called Fast-Flux and Domain-Fluxing.

Fast Flux DNS: a technique that a cybercriminal can use to prevent identification of key botnet server IP addresses. The criminal creates a botnet with nodes that join and drop off the network faster than law enforcement officials can trace them. Criminals have discovered that they can hide key servers by using a sixty-second time-to-live (TTL) setting for their DNS resource records and swapping the records’ associated IP addresses in and out with extreme frequency.

Domain-fluxing: a method where bots generate random domain names in regular intervals in large numbers to hide their tracks. Conficker, Kraken and Torpig all use DNS domain-fluxing to hide their command and control servers. Domain-fluxing makes use of a Domain Generation Algorithm (DGA). CryptoLocker made use of a DGA as well.

TTL (Time to Live): TTL is an acronym for Time To Live and refers to the capability of the DNS servers to cache DNS records. It represents the amount of time that a DNS record for a certain host remains in the cache memory of a DNS server. By specifying TTL settings for a particular domain’s DNS records, webmasters define the frequency of website content updates. The longer the TTL value is, the faster, due to caching the domain resolution time periods will be. The TTL value can be set from one to several hours.

DNS Load Balancing: On the Internet, companies whose Web sites get a great deal of traffic usually use load balancing. For load balancing Web traffic, there are several approaches. For Web serving, one approach is to route each request in turn to a different server host address in a domain name system (DNS) table, round-robin fashion. Usually, if two servers are used to balance a work load, a third server is needed to determine which server to assign the work to. Since load balancing requires multiple servers, it is usually combined with failover and backup services. In some approaches, the servers are distributed over different geographic locations.

Authoritative Name Server: gives answers that have been configured by an original source, for example, the domain administrator or by dynamic DNS methods, in contrast to answers that were obtained via a regular DNS query to another name server. An authoritative-only name server only returns answers to queries about domain names that have been specifically configured by the administrator.

NXDOMAIN: A DNS message type received by the DNS Resolver when a request to resolve a domain is sent to the DNS and the DNS cannot resolve it to an IP address (e.g. not found). An NXDOMAIN error message means that the domain does not exist.

The NXDOMAIN is the message we pay close attention to because by observing the behavior and the volume of the NXDOMAIN replies from the DNS, we can use these to uncover unwanted behaviors that are often indicative of bot communications with the C&C. this is one of the many responsibilities of the FlowPro Defender.

Steve Cunha author pic

Steve

Stephen joined Plixer in 2011. Steve’s efforts over the years have helped many customer gain better Visibility and Network Analytics. With more than 5 years of successful technology consultation, Steve has become a thought leader, focusing on how Scrutinizer can be part of a system incorporating other solutions such as Gigamon, Statseeker, Uptime, InfoBlox and Splunk. Firm believer that most organizations will have a larger SDN implementation and greater leveraging the Cloud in the next few years. Steve resides in Scarborough, ME with his wife and two sons.

Related