DNS has an important role in how end users connect to the internet. Inspecting DNS traffic between client devices and your local or external DNS servers could reveal suspicious activity. This is possible by using specific widgets and thanks to the aggregation capabilites of the Devo application. In order to be available for most of the customers, we decided to use only firewall logs to detect DNS traffic behaviour.
Using the time travel option at the top, it is possible to apply a time filter to the widgets in the tab in order to inspect activity at an earlier date. You can select a single day by clicking a day in the heat calendar widget. For instance a day with an especially high amount of traffic. Then select Apply interval and all widgets will be updated immediately.
Alternatively, you can select either a single day or a time period using the time travel filter controls. There are buttons for selecting recent periods or calendar controls to select specific dates.
DNS traffic evolution
You can check the DNS traffic history through a heat calendar that shows the daily amount of DNS traffic over the last 12 months. The line chart next to it shows a comparison of traffic using DNS versus non-DNS traffic over the last 30 days.
DNS traffic flow
In a large organization, it is important to know the performance of the DNS servers. Using the Security Insights application and the aggregation capabilites of Devo it is possible to detect internal servers that might be operating as DNS servers.
For this purpose, we will use a cross search wigdet that joins two different queries. The first query detects outbound traffic to internal DNS servers (on the left). The second query detects outbound traffic to external authoritative name servers, or DNS root servers (on the right). The correlation between both queries ensures that the servers shown in the middle are those ones acting as DNS. You can cross-reference these servers with the company DNS list to see if any server is missing, or if any server is acting as a DNS when it shouldn’t, or if a DNS server doesn’t appear to be serving names correctly.
This Sankey diagram shows the IP addresses that have requested more than 15 different DNS during the selected period, and the table lists the IPs that have requested the most different DNS during the selected time period.