Top Cybersecurity Training Protects Your Assets - Learn From the BEST and Apply New Knowledge Immediately!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

DNS Issues

Featuring 26 Papers as of April 16, 2021

  • Preventing Windows 10 SMHNR DNS Leakage Graduate Student Research
    by Robert Upchurch - March 3, 2021 

    Microsoft enables Smart Multi-Homed Name Resolution (SMHNR) by default, sending name lookups out of all the connected interfaces for all configured name resolution protocols: DNS, LLMNR, and NetBIOS over TCP/IP (NetBT). Research on the effect that SMHNR has on DNS behavior showed that several users were concerned with DNS leakage ("DNS Leaks," 2017). DNS leakage is where unauthorized parties can observe, intercept, and possibly tamper with the name lookups or the lookup responses. Users were also frustrated by operational issues, such as attempting to resolve a private network hostname and receiving no response, a slow response, or an incorrect response while connected to a VPN ("Windows 10", 2015). This frustration led to users attempting to disable SMHNR ("Turn Off," 2021), but it did not always resolve the issue. The process to disable SMHNR varied based on the edition of Windows used, so the goal was to investigate the effect of SMHNR on DNS behavior and pursue an edition agnostic, native operating system method to mitigate that effect. Testing revealed that Name Resolution Policy Table (NRPT) rules provided a simple, scalable, and agile mechanism for controlling DNS client behavior that was effective across the multiple editions of Windows and worked irrespective of whether SMHNR was on or off.

  • The Strategic Value of Passive DNS to Cyber Defenses and Risk Management Analyst Paper (requires membership in community)
    by Dave Shackleford - February 22, 2021 

    Passive DNS has come to play a significant role in the realm of information security—and not just due to its mission-critical status for domain name resolution. This paper explores how passive DNS may help detect and prevent many attacks that other security tools cannot.

  • Replacing WINS in an Open Environment with Policy Managed DNS Servers Graduate Student Research
    by Mark Lucas - September 21, 2020 

    In some environments, Windows workstations require placement on the open internet. In order to protect the read-write domain controllers, administrators locate them in a protected enclave behind a firewall, and read-only domain controllers authenticate workstations during day-to-day operations. While this is strong protection for the read-write domain controllers, the configuration breaks the standard dynamic DNS registration of Windows workstations with the read-write domain controller. In our environment, we have maintained WINS servers linked to Windows DNS via the WINS lookup function to continue finding workstations by name. The TechNet page on WINS (Davies, 2011) was last updated almost nine years ago, and Microsoft has been actively encouraging the abandonment of WINS (Ross & Mcillece, 2020). This paper explores Windows DNS Policies to replacing WINS with Dynamic DNS and policy-controlled responses to queries. Utilizing source IP addresses, DNS policies can regulate the provided answers. The operability of DNS Policies and the applicability to this solution is evaluated in depth.

  • Dealing with DoH: Methods to Increase DNS Visibility as DoH Gains Traction Graduate Student Research
    by Scott Fether - May 6, 2020 

    Microsoft is planning to implement DNS over HTTPS (DoH) in the native Windows DNS Client (Jensen, Pashov, & Montenegro, 2019). Firefox and Chrome have already implemented this protocol in their browsers. Because of DoH’s encrypted nature and use of port 443, security analysts will need to adjust their log collection and analysis techniques. Much of the literature available regarding DoH suggests either preventing the use of DoH (Hjelm, 2019, p. 20) or utilizing SSL/TLS proxies to inspect the queries (Middlehurst, 2018). Firefox can generate host logs on DoH resolution, which includes unencrypted queries and answers. This research will explore various inspection and logging techniques that will identify the most effective approach to analyzing DoH.

  • Challenges in Effective DNS Query Monitoring Graduate Student Research
    by Caleb Baker - October 23, 2019 

    Domain Name System (DNS) queries are fundamental functions of modern computer networks. Capturing the contents of DNS queries and analyzing the logged data is a recommended practice for gaining insight into activity on a network and monitoring for unusual behavior. Multiple solutions and approaches are available for monitoring DNS queries. Some methods add the capability to redirect queries identified as malicious, stopping an attack. This paper investigates the effectiveness of solutions that utilize the monitoring of DNS queries to detect and block behavior DNS queries identified as potential indicators of compromise. The performance of each tool will be evaluated against a sample of real-world threats that utilize DNS queries. As the prevalence of DNS query monitoring increases, attackers will need to take steps to bypass monitoring by obfuscating DNS queries. Accordingly, this paper will also assess the capabilities of each tool to detect techniques for DNS query obfuscation.

  • A New Needle and Haystack: Detecting DNS over HTTPS Usage Graduate Student Research
    by Drew Hjelm - September 10, 2019 

    Encrypted DNS technologies such as DNS over HTTPS (DoH) give users new means to protect privacy while using the Internet. Organizations will face new obstacles for monitoring network traffic on their networks as users attempt to use encrypted DNS. First, the paper presents several tests to perform to detect encrypted DNS using endpoint tools and network traffic monitoring. The goal of this research is to present several controls that organizations can implement to prevent the use of encrypted DNS on enterprise networks.

  • Digging for Gold: Examining DNS Logs on Windows Clients Graduate Student Research
    by Amanda Draeger - May 22, 2019 

    Investigators can examine Domain Name Service (DNS) queries to find potentially compromised hosts by searching for queries that are unusual or to known malicious domains. Once the investigator identifies the compromised host, they must then locate the process that is generating the DNS queries. The problem is that Windows hosts do not log DNS client transactions by default, and there is little documentation on the structure of those logs. This paper examines how to configure several modern versions of Windows to log DNS client transactions to determine the originating process for any given DNS query. These configurations will allow investigators to determine not only what host is compromised, but what the malicious process is more quickly.

  • Securing DNS Against Emerging Threats: A Hybrid Approach Analyst Paper (requires membership in community)
    by John Pescatore - March 16, 2017 

    This paper looks at the impact of mobility and new attack vectors on DNS-related risk and outlines use cases for securing DNS services more effectively. It also examines the use of a hybrid model of on-premises and cloud-based services to improve the security posture of organizations.

  • Is Anyone Out There? Monitoring DNS for Misuse Graduate Student Research
    by Kaleb Fornero - December 30, 2016 

    In the early 1980’s, a system was born by which millions of users would unlock the untold amounts of computer information located around the world. The creation of the Domain Name System (DNS) not only allowed for the traversal of the Internet with userfriendly URLs, but also created a means of misuse, a means of deception. This paper will outline the way in which DNS may be abused for command and control channels as well as data exfiltration by deconstructing deceptive packets and outlining the anomalies within them. With this analytical information, the development of active network monitoring rules will be provided to detect these irregularities and identify DNS exploitation.

  • Using Splunk to Detect DNS Tunneling Graduate Student Research
    by Steve Jaworski - June 1, 2016 

    DNS tunneling is a method to bypass security controls and exfiltrate data from a targeted organization. Choose any endpoint on your organization's network, using nslookup, perform an A record lookup for If it resolves with the site's IP address, that endpoint is susceptible to DNS Tunneling. Logging DNS transactions from different sources such as network taps and the DNS servers themselves can generate large volumes of data to investigate. Using Splunk can help ingest the large volume of log data and mine the information to determine what malicious actors may be using DNS tunneling techniques on the target organizations network. This paper will guide the reader in building a lab network to test and understand different DNS tunneling tools. Then use Splunk and Splunk Stream to collect the data and detect the DNS tunneling techniques. The reader will be able apply to what they learn to any enterprise network.

  • Implementation and use of DNS RPZ in malware and phishing defence by Alex Lomas - April 3, 2014 

    Many organisations, large and small, have a need for outbound content filtering.

  • Detecting DNS Tunneling Graduate Student Research
    by Greg Farnham - March 19, 2013 

    Web browsing and email use the important protocol, the Domain Name System (DNS), which allows applications to function using names, such as, instead of hard-to-remember IP addresses.

  • DNS Sinkhole by Guy Bruneau - November 9, 2010 

    Why use a DNS sinkhole? The Domain Name Service is a core service used to access the Internet, so control of DNS equates to at least partial control of Internet traffic. By intercepting outbound DNS requests attempting to access known malicious domains, such as botnets, spyware, and fake antivirus, an organization can control the response and prevent organization computers from connecting to these domains. This activity prevents unwanted communications and is capable of mitigating known and unknown threats hosted on known malicious or unwanted domains.

  • Visualizing the Hosting Patterns of Modern Cybercriminals by Andrew Hunt - September 21, 2010 

    The Domain Name Service (DNS) is critically important to translating human readable domain names into Internet Protocol (IP) addresses. Take Google, for example. Without DNS, users would find it extremely difficult to connect to one of the hundreds of IP addresses providing Google's services. Resolving '' via DNS provides the user almost instantaneous access to Google content from the closest four of its thousands of servers. This speed of association and resiliency has been the backbone of the Internet's success. This holds true for those serving legitimate content and services, and for those meaning to do harm. This paper will demonstrate how historical DNS resolution data can be used to identify patterns of malicious domain registrations. It will also show how to identify weak points, assisting security analysts in the defense of their networks.

  • CURRENT ISSUES IN DNS Graduate Student Research
    by Craig Wright - December 30, 2008 

    This paper will look at the issues facing DNS as well as conduct an analysis of the existing DNS infrastructure to assess its state and weaknesses.

  • DNS Spoofing by The Man In The Middle by Ian Green - May 5, 2005 

    This paper is based on a vulnerability in the Windows XP DNS resolver. While other parties have recently published this vulnerability, the vulnerability was independently discovered during research for this paper.

  • The Evolving Threats to the Availability and Security of the Domain Name Service by John Holmblad - December 13, 2003 

    This paper provides an overview of the role of the Domain Name Server (DNS) system among the essential components that comprise the Internet and the World Wide Web as we know it today, examines the security related aspects of its operation, along with some of the key exploits that have been mounted in the last several years against the system and the services that it provides.

  • Installation of a Red Hat 9.0 server with DNS services, emphasising security by Mark Chandler - September 8, 2003 

    This paper seeks to provide an edited account of the work done by the author to create a minimal-install, primary DNS server based on a Linux platform including some discussion as to why certain decisions were made and the reasons for the method used to build the system.

  • Security Issues with DNS by Florent Carli - June 2, 2003 

    This document first reviews some basics about how DNS works, then goes into explaining the different ways a hacker can attack the DNS protocol implementation to use it to his own advantage.

  • DNS, DNSSEC and the Future by David Hinshelwood - May 30, 2003 

    The aim is to mitigate the risks of mis-configuration and attack so down time is kept to a minimum or compensated for by reducing the single point of failure.

  • How Secure are the Root DNS Servers? by Susan Baranowski - May 6, 2003 

    This paper addresses the current state of the root name server system and its operation.

  • Why is securing DNS zone transfer necessary ? by Steve Lau - March 31, 2003 

    This paper will focus on the reason for securing DNS zone transfers between DNS Name Servers, concentrating on the use of allow-transfer statement in Berkley Internet Name Domain (BIND) DNS to accomplish the goal of preventing DNS poisoning or spoofing.

  • Defense in Depth for DNS by Cheng Teoh - February 13, 2003 

    This paper will focus on security for the most widely used DNS server on the Internet, namely the Berkeley Internet Name Domain (BIND).

  • Current Issues in DNS Security: ICANN's November 2001 Annual Meeting by James Sweetman - November 28, 2001 

    After a brief, policy-level introduction to DNS and ICANN, this paper summarizes the results of a 4-day meeting held during November 2001, on DNS security issues addressing: existing DNS security measures, security risks in the DNS and number management, and the responses by ICANN and the community.

  • DNS Security Considerations and the Alternatives to BIND by Lim Chor - October 2, 2001 

    This paper discusses important considerations regarding DNS Security.

  • The Achilles Heal of DNS by Christopher Irving - August 2, 2001 

    This paper will attempt to illustrate consequences of protocols associated with Routing and DNS attacks which either completely lacks or has very poor methods of authentication.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.