by Stephanie Dunn
April 21, 2016
The Domain Name System (DNS) service is a critical component used by virtually every type of network, application, and service today. Managing DNS servers can also be challenging, as any misconfiguration on DNS servers can leave an organization’s network vulnerable to attack. The DNS Summary report presents an overall summary of DNS-related events and activity.
Reliable network connectivity is an essential part of business operations. Without DNS services, connecting to hosts both internally and externally would be impossible. DNS provides an inherent trust between clients and servers that allows organizations to quickly identify internal hosts and connect to external websites. However, this trust relationship can also be exploited, allowing attackers to compromise DNS servers and redirect clients to spoofed or malicious websites. Any disruption or compromise of DNS servers can severely impact an organization’s ability to conduct business. By continuously monitoring DNS services, organizations will be able to detect threats before critical services are impacted.
Using this report, analysts will be able to quickly identify and remediate misconfigurations within existing DNS servers. Several elements provide the latest information on existing DNS vulnerabilities and compliance issues that can present serious risks for the organization. Systems are scanned using Nessus and the Passive Vulnerability Scanner (PVS), which can alert security teams to possible DNS cache poisoning, DNS amplification attacks, denial of services attacks, and other DNS vulnerabilities that could be exploited by an attacker. The Log Correlation Engine (LCE) can detect events such as DNS queries and zone transfer requests from systems that have forwarded logs to the LCE. Additional elements will report on existing DNS server compliance, which can be useful in identifying blind spots within current DNS server configurations. Misconfigured DNS servers can cause network traffic to be improperly routed and result in network outages or downtime for an organization. Organizations can use the information provided within this report to strengthen enterprise security policies, and harden existing DNS servers on the network.
This report is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the SecurityCenter Feed under the category Discovery & Detection. The report requirements are:
- SecurityCenter 5.3.1
- Nessus 6.5.6
- LCE 4.8.0
- PVS 5.0.0
SecurityCenter Continuous View (CV) provides continuous network monitoring, vulnerability identification, risk reduction, and compliance monitoring. Nessus is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audits. PVS provides deep packet inspection to continuously discover DNS vulnerabilities traveling the wire. LCE correlates real-time events, and has the capability to discover users, operating systems, network devices, hypervisors, databases, tablets, phones, web servers, and other critical infrastructure. SecurityCenter CV allows for the most comprehensive and integrated view of network health.
The following chapters are included in this report:
- Executive Summary - The Executive Summary chapter presents a summary of DNS events. Information on DNS events will alert analysts to zone transfers, client queries, and potential attacks. The Log Correlation Engine (LCE) can detect events such as DNS queries and zone transfer requests from systems that have forwarded logs to the LCE. Other activity, such as hosts attempting to access suspicious sites or DNS tunneling, may also be detected using this chapter.
- DNS Servers - The DNS Servers chapter presents an inventory of current DNS servers on the network. This information will provide a summary of DNS servers such as Microsoft DNS, ISC BIND, and PowerDNS. The table in this chapter will report on DNS services that have been detected by Nessus and PVS. Organizations can use the information provided in this chapter to detect unauthorized systems running DNS services.
- DNS Vulnerabilities - The DNS Vulnerabilities chapter displays a list of vulnerabilities related to DNS by count and severity. The element will report on the latest vulnerability information by severity level. Only the top 10 detections with severity levels of low, medium, high, and critical are included. Organizations should continuously monitor DNS servers, as vulnerabilities can disrupt network availability, damage systems, and leave critical assets exposed to attack.
- DNS Compliance Checks - The DNS Compliance Summary Chapter presents information on the current DNS compliance status within the organization. Elements in this chapter can be used to determine which systems have failed DNS compliance checks or need to be manually checked. High severity represents failed audit checks, and medium severity represents checks that must be manually verified. Compliance failures presented within this chapter can provide targeted information that analysts need to identify and remediate outstanding DNS compliance issues in a timely manner. The included table can be modified to include additional or specific compliance information based on organizational needs.