DNS
DNS (Domain Name System) is a crucial protocol that translates human-readable domain names into IP addresses, enabling users to access websites and services. However, DNS is also a common target for attackers through techniques like DNS spoofing, cache poisoning, and DNS tunneling. These attacks can redirect users to malicious sites, intercept sensitive data, or be used to exfiltrate information.
DNS in nzyme
Nzyme parses all DNS traffic. The reported data includes:
- Source address (DNS client)
- Server address (DNS server)
- Query value
- Query type
- Response value(s)
- Response type(s)
You can find a list of all recorded DNS traffic on the DNS page under Ethernet in the sidebar of your nzyme web interface.
Entropy Outliers
DNS tunneling is a technique where attackers encode data within DNS queries and responses to exfiltrate information or establish covert communication channels. This often involves unusual patterns in the DNS traffic, such as high entropy values in the DNS query or response data. Entropy measures the randomness or unpredictability of data; higher entropy in DNS traffic can indicate that the data contains encoded information rather than typical DNS requests, which are usually more predictable and structured.
By analyzing the entropy of DNS queries and responses, nzyme can identify outliers—those with unusually high entropy values. These outliers may suggest that the DNS traffic is being used for purposes other than standard domain name resolution, such as tunneling.
Be aware that many legitimate DNS queries and responses, particularly those associated with CDNs and some public cloud services, can exhibit high entropy. Therefore, it’s advisable to manually review the list of DNS entropy outliers in nzyme rather than relying solely on automatic alerting.
Entropy Outliers in nzyme
Each nzyme tap is keeping a rolling window of average entropy and calculates a z-score to detect outliers. Those outliers are presented on the DNS overview page of your nzyme web interface.
You can configure the outlier threshold in your nzyme tap configuration file, using the entropy_zscore_threshold
variable in the protocols.dns
section:
NXDOMAIN Responses
"NXDOMAIN" stands for "Non-Existent Domain." It is a DNS response code indicating that the domain name queried does not exist in the DNS records.
Nzyme monitors NXDOMAIN responses because they can be a strong indicator of malicious activity, such as attempts to contact non-existent domains generated by malware using Domain Generation Algorithms (DGAs). DGAs are used by attackers to evade detection by rapidly generating and attempting to connect to a large number of random or pseudo-random domain names, most of which do not exist and thus return NXDOMAIN responses.
A high volume of NXDOMAIN responses from a particular host or network segment can signal that malware is attempting to reach its command-and-control server, or that an attacker is probing for vulnerable services. By closely monitoring and analyzing NXDOMAIN responses, defenders can identify these suspicious patterns and investigate further.
NXDOMAIN Responses in nzyme
Nzyme presents charts and statistics to monitor NXDOMAIN activity in your network. You can use the DNS transaction log filters to drill down and analyze further.