DNS analytics

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

DNS Analytics is the surveillance (collection and analysis) of DNS traffic within a computer network. Such analysis of DNS traffic has a significant application within information security and computer forensics, primarily when identifying insider threats, malware, cyberweapons, and advanced persistent threat (APT) campaigns within computer networks.

Since DNS Analytics processes and interactions involve the communications between DNS clients and DNS servers during the resolution of DNS queries and updates, it may include tasks such as request logging, historical monitoring by node, tabulation of request count quantities, and calculations based on network traffic requests. While a primary driver for DNS Analytics is security described below, another motivation is understanding the traffic of a network so that it can be evaluated for improvements or optimization. For example, DNS Analytics can be used to gather data on a lab where a large number of related requests for PC software updates are made. Finding this, a local update server may be installed to improve the network.

Published Research[edit]

Research within the public domain shows that state-sponsored malware and APT campaigns exhibit DNS indicators of compromise (IOC). Since June 2010, analysis of cyberweapon platforms and agents has been undertaken by labs including Kaspersky Lab, ESET, Symantec, McAfee, Norman Safeground, and Mandiant. The findings as released by these organizations include detailed analysis of Stuxnet,[1] Flame,[2] Hidden Lynx,[3] Operation Troy,[4] The NetTraveler,[5] Operation Hangover,[6] Mandiant APT1,[7] and Careto.[8] These malware and APT campaigns can be reliably identified within computer networks through the use of DNS analytics tools.

DNS Analytics Tools[edit]

  • Endgame, Inc. developed a tool named Clairvoyant Squirrel[9] which performs large-scale malicious domain classification.
  • AlphaSOC LLC developed DNS Analytics for Splunk[10] which performs DNS anomaly detection within environments.
  • OMS DNS Analytics, which uses Microsoft threat intelligence, provides client names that are resolving malicious domains, stale records and other useful DNS analysis tools.
  • DNS Made Easy developed DNS Analytics that shows clients the query traffic for their domain(s) in real time. This tool can be used to troubleshoot influxes in query traffic, identify potential attacks, stale records, and optimize network configurations. The DNS Analytics platform also includes a query logging feature that records queries as they hit a client's nameservers. Logs can be downloaded and used for troubleshooting.
  • Constellix (a subsidiary of DNS Made Easy) also has its own DNS Analytics platform with a query logging feature.


  1. ^ "Stuxnet Under the Microscope" (PDF). ESET.
  2. ^ "The Roof is on Fire - Tracking Flames C&C Servers". Kaspersky Lab.
  3. ^ "Hidden Lynx" (PDF). Symantec.
  4. ^ "Dissecting Operation Troy" (PDF). McAfee.
  5. ^ "The Nettraveler, Part 1" (PDF). Kaspersky Lab.
  6. ^ "Unveiling an Indian Cyberattack Infrastructure" (PDF). Norman Safeground.
  7. ^ "Mandiant APT1 Report" (PDF). Mandiant.
  8. ^ "Unveiling the Mask" (PDF). Kaspersky Lab.
  9. ^ Munro, Josh (January 2013). "Clairvoyant Squirrel Large-scale Malicious Domain Classification".
  10. ^ DNS Analytics for Splunk