Off-label use of DNS: Is DNS providing the service which we really think it was made for?

What is it about?

An in-depth examination of the DNS logs collected over a long period revealed some very interesting legitimate use cases of the DNS protocol by the industry and other players, apart from its normal name resolution service function. We coin the term “Off-label use of DNS” to represent those use cases. Legitimate here simply means using DNS for non-malicious purposes other than what it was traditionally designed for, which is for providing domain resolution; a dictionary service mapping domain names to corresponding IP addresses. One of the main reasons DNS is used, or possibly misused, for these off-label use cases is the speed of data transfer and reduced overhead in terms of bandwidth. These off-label use cases of DNS can often leak important information about the clients and software they are running and can be leveraged in a variety of ways by the network security defenders/analysts to improve their detection on the network. This research will detail some of those legitimate off-label use cases and how they can be leveraged by the analysts to detect malware trends in the network and much more just by analyzing an enterprise’s DNS logs.

Featured Image

Photo by Markus Spiske on Unsplash

Photo by Markus Spiske on Unsplash

Why is it important?

An engineer's investigation of some of the interesting looking DNS logs, that others can take advantage of as it can be applied in real world network traffic monitoring. This work scratches the surface of how one of the oldest internet protocol is used not by the book and it changes our notion of what is accepted use and miss-use of an internet protocol.

Perspectives