Return to

57. DNS Monitoring

Monitoring and proactively analyzing Domain Name Server (DNS) queries and responses has become a standard security practice for networks of all sizes. Many types of malware rely on DNS traffic to communicate with command-and-control servers, inject ads, redirect traffic, or transport data.

Among other things, DNS traffic analysis is commonly used to:

  • discover unknown devices that appear on the network;

  • monitor critical devices that have not issued a query within a predefined time window;

  • detect malware from young/esoteric domain lookups or consistent lookup failures; and

  • analyze host, subnet, or user behavioral patterns.

DNS traffic can quickly become overwhelming. To save resources, consider discarding any fields that will not be required for analysis.

According to RFC 7626 there are no specific privacy laws for DNS data collection, in any country. However it is not clear if data protection directive 95/46/EC of the European Union includes DNS traffic collection.