Monitor First – The DNS Edition

pentestAlthough the article below focuses on potential philosophical changes in pen testing, the author — Cricket Liu — incorporated a nice discussion on the importance of monitoring DNS towards the end. Basically, once the adversary gets into your network, they are going to need someway to communicate back out. And in most cases this communication will involve DNS.

In addition to the network’s perimeter, security professionals need to focus on points where communication leaves the network and expand the scope of penetration testing to include the possibility—perhaps the inevitability—that compromised devices are connected to the network. Often, this external communication is via the Domain Name System, or DNS. APTs often use DNS to call home and receive instructions, at which point they may download additional malware payloads and steal sensitive information—possibly tunneled through DNS.

By monitoring DNS traffic, looking both for known malicious destinations as well as suspicious traffic patterns, and disrupting this communication, companies can prevent valuable business and personal information from leaving the network. If an APT is prevented from “calling home,” it loses its potency. It may lie on the network for months undetected, but without a connection to the outside world, the damage it can do is very limited. This way, no matter how large the perimeter of a network grows, security teams can effectively manage key points of communication—including DNS—to render APTs ineffective.

Read the full article here.

For more on the topic of monitoring DNS, check out this great talk from Nathan Magniez.

(Note: As part of a campaign to bring forward some of our older posts that we feel still benefit the community, we’ve added this article to our Best Of category that will periodically get tweeted out. Please mention it to me on Twitter or contact us if there are any other posts you feel we should include in this category. This post was previously categorized under Infosec Blogs/Podcasts. [email protected]grecs)


Today’s post pic is from

8 comments for “Monitor First – The DNS Edition

  1. March 21, 2015 at 6:47 pm

    Monitor First – The DNS Edition

  2. March 21, 2015 at 7:34 pm

    BLOGGED: Monitor First – The DNS Edition

  3. March 23, 2015 at 1:50 am

    Enterprise_ITS: byod_news: cceresola: Monitoring DNS traffic is efficient in terms of defense in depth #infosec #m…

  4. March 23, 2015 at 2:13 am

    Enterprise_ITS: Enterprise_ITS: cceresola: Monitoring DNS traffic is efficient in terms of defense in depth #infos…

  5. April 3, 2015 at 1:55 am

    “Monitor First – The DNS Edition” #podcast #feedly

  6. August 21, 2015 at 10:48 am

    Best Of: Monitor First – The DNS Edition

  7. September 6, 2015 at 10:00 am

    Monitor First – The DNS Edition – NovaInfosec

  8. November 13, 2015 at 2:52 pm

    Best Of: Monitor First – The DNS Edition

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.