Featuring 17 Papers as of June 1, 2016
Using Splunk to Detect DNS Tunneling
by Steve Jaworski - June 1, 2016
DNS tunneling is a method to bypass security controls and exfiltrate data from a targeted organization. Choose any endpoint on your organization's network, using nslookup, perform an A record lookup for www.sans.org. If it resolves with the site's IP address, that endpoint is susceptible to DNS Tunneling. Logging DNS transactions from different sources such as network taps and the DNS servers themselves can generate large volumes of data to investigate. Using Splunk can help ingest the large volume of log data and mine the information to determine what malicious actors may be using DNS tunneling techniques on the target organizations network. This paper will guide the reader in building a lab network to test and understand different DNS tunneling tools. Then use Splunk and Splunk Stream to collect the data and detect the DNS tunneling techniques. The reader will be able apply to what they learn to any enterprise network.
Implementation and use of DNS RPZ in malware and phishing defence
by Alex Lomas - April 3, 2014
Many organisations, large and small, have a need for outbound content filtering.
Detecting DNS Tunneling
by Greg Farnham - March 19, 2013
Web browsing and email use the important protocol, the Domain Name System (DNS), which allows applications to function using names, such as example.com, instead of hard-to-remember IP addresses.
by Guy Bruneau - November 9, 2010
Why use a DNS sinkhole? The Domain Name Service is a core service used to access the Internet, so control of DNS equates to at least partial control of Internet traffic. By intercepting outbound DNS requests attempting to access known malicious domains, such as botnets, spyware, and fake antivirus, an organization can control the response and prevent organization computers from connecting to these domains. This activity prevents unwanted communications and is capable of mitigating known and unknown threats hosted on known malicious or unwanted domains.
Visualizing the Hosting Patterns of Modern Cybercriminals
by Andrew Hunt - September 21, 2010
The Domain Name Service (DNS) is critically important to translating human readable domain names into Internet Protocol (IP) addresses. Take Google, for example. Without DNS, users would find it extremely difficult to connect to one of the hundreds of IP addresses providing Google's services. Resolving 'google.com' via DNS provides the user almost instantaneous access to Google content from the closest four of its thousands of servers. This speed of association and resiliency has been the backbone of the Internet's success. This holds true for those serving legitimate content and services, and for those meaning to do harm. This paper will demonstrate how historical DNS resolution data can be used to identify patterns of malicious domain registrations. It will also show how to identify weak points, assisting security analysts in the defense of their networks.
CURRENT ISSUES IN DNS
by Craig Wright - December 30, 2008
This paper will look at the issues facing DNS as well as conduct an analysis of the existing DNS infrastructure to assess its state and weaknesses.
DNS Spoofing by The Man In The Middle
by Ian Green - May 5, 2005
This paper is based on a vulnerability in the Windows XP DNS resolver. While other parties have recently published this vulnerability, the vulnerability was independently discovered during research for this paper.
The Evolving Threats to the Availability and Security of the Domain Name Service
by John Holmblad - December 13, 2003
This paper provides an overview of the role of the Domain Name Server (DNS) system among the essential components that comprise the Internet and the World Wide Web as we know it today, examines the security related aspects of its operation, along with some of the key exploits that have been mounted in the last several years against the system and the services that it provides.
Installation of a Red Hat 9.0 server with DNS services, emphasising security
by Mark Chandler - September 8, 2003
This paper seeks to provide an edited account of the work done by the author to create a minimal-install, primary DNS server based on a Linux platform including some discussion as to why certain decisions were made and the reasons for the method used to build the system.
Security Issues with DNS
by Florent Carli - June 2, 2003
This document first reviews some basics about how DNS works, then goes into explaining the different ways a hacker can attack the DNS protocol implementation to use it to his own advantage.
DNS, DNSSEC and the Future
by David Hinshelwood - May 30, 2003
The aim is to mitigate the risks of mis-configuration and attack so down time is kept to a minimum or compensated for by reducing the single point of failure.
How Secure are the Root DNS Servers?
by Susan Baranowski - May 6, 2003
This paper addresses the current state of the root name server system and its operation.
Why is securing DNS zone transfer necessary ?
by Steve Lau - March 31, 2003
This paper will focus on the reason for securing DNS zone transfers between DNS Name Servers, concentrating on the use of allow-transfer statement in Berkley Internet Name Domain (BIND) DNS to accomplish the goal of preventing DNS poisoning or spoofing.
Defense in Depth for DNS
by Cheng Teoh - February 13, 2003
This paper will focus on security for the most widely used DNS server on the Internet, namely the Berkeley Internet Name Domain (BIND).
Current Issues in DNS Security: ICANN's November 2001 Annual Meeting
by James Sweetman - November 28, 2001
After a brief, policy-level introduction to DNS and ICANN, this paper summarizes the results of a 4-day meeting held during November 2001, on DNS security issues addressing: existing DNS security measures, security risks in the DNS and number management, and the responses by ICANN and the community.
DNS Security Considerations and the Alternatives to BIND
by Lim Chor - October 2, 2001
This paper discusses important considerations regarding DNS Security.
The Achilles Heal of DNS
by Christopher Irving - August 2, 2001
This paper will attempt to illustrate consequences of protocols associated with Routing and DNS attacks which either completely lacks or has very poor methods of authentication.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact email@example.com.
All papers are copyrighted. No re-posting or distribution of papers is permitted.