DNS audits are integral to ensuring an organization’s security. Since DNS records are public by nature, knowing exactly what those records say assists the organization’s security team with identifying any incorrect information, as well as any information that may be exploited and used against the organization. In addition, DNS records are of vital importance to cyber security investigations. Once a malicious domain is identified, DNS records assist in enumerating further information about that domain, as well as any other similar malicious DNS entries.
DNS Auditing and Investigations
For an organization’s security, performing a full DNS audit should be a regular task. Such an audit provides a window into both legitimate and illegitimate domains associated with the organization, and if any of those domain records contain unwanted information.
An audit provides information on whether or not DNS records have been changed, email reputation in relation to large email hosting sites, and if the records themselves are safe from theft.
Identifying Domain and Typo Squatting
Domain and typo squatting are a subset of phishing techniques in which an attacker purchases a domain that is highly similar to an existing, popular domain. The attacker then waits until someone mistypes the popular domain and subsequently lands on the imposter page.
This is such a popular attack that many organizations proactively purchase mistyped domains in order to decrease their availability to would be attackers.
For example, when searching for “whitepages” in DigitalStakeout’s Domain Name Search, several variations appear:
Whereas many of those variations may in fact be legitimate domains owned by foreign version of the White Pages, at least two of them “www-whitepages.com” and “whitepages.dj” are likely illegitimate. The first of those two examples, “www-whitepages.com”, is a prime example of typo squatting – using a dash instead of a period in the fully-qualified domain name is a common mistake, and it appears that an attacker may be seeking to take advantage of it. Since this domain is registered to “GoDaddy” it is unlikely to belong to the White Pages, which uses AWS as its host (as seen below):
Identifying Third-party Infrastructure
DigitalStakeout also includes CNAME (Canonical Name) pointers in its DNS record discovery datasets. The CNAME is an alias that points an alternate domain name to the original domain name, which in turn is associated with the A record. This allows domain administrators the luxury of only needing to update the authoritative domain record if changes are necessary, rather than update the A record for each individual variation of the domain name (think example.com compared to www.example.com). In many cases, CNAME is used to brand a third-party service such a technical support site like Zendesk or Desk.com. In this example, we discover domains that point host names to their respective Zendesk.com subdomains.
This process of using CNAME records is useful in identifying shadow IT that is being branded and is a very important point of audit to document 3rd-party vendors and subprocessors so as to remain in compliance with new GDPR regulations.
Verifying SPF records
DNS applies to mail servers just as they apply to websites, since email also utilizes DNS data to route mail packets. If a domain has an associated mail server, the record contains an “MX” (mail exchange) record which works with the Sender Policy Framework (SPF) record to properly route emails. The SPF record denotes authorized host names and IP addresses that can send mail on any given domain.
Using DNS Search, you can view all SPF records associated with a domain, and all domains associated with an SPF record. For example, if someone in your organization receives a spoofed email that still has an intact IP address in the header, you can use the SPF pivot to search for that IP and view detailed information on that domain:
The above example looks at the IP address 126.96.36.199, and cross checks that against known malicious domains. Indeed, it return a Polish domain that appears to be related to some sort of wellness activity. We can see that the IP address appears in the SPF record, denoting that IP is an authorized mail server for that domain.
Another important use of SPF records is to compare the SPF record of a domain with the DKIM record in an email header. DKIM (DomainKeys Identified Mail) is an encryption mechanism which assists in authenticating the sender of an email. Used in conjunction with DMARC (Domain-Based Message Authentication Reporting and Conformance), an additional authentication method, it is possible to understand whether or not an email came from the domain it claims to be from.
DMARC authentication is comprised of the following. Using the SPF record and email header, there are two things to look for. The first is that the email’s From domain and Return Path domain are the same. This denotes that the SPF record is properly aligned. Second, if the email’s From domain and the “d=” field in the header match, the DKIM is aligned and the email is fully authenticated.
If both of the above fields are not aligned, most email service providers will treat the email as spam and reject it outright. If at least one of the fields is aligned, the sender is understood to own the DNS space and is therefore authenticated.
Shared Nameserver Investigations
Another useful technique that runs parallel to DNS auditing is investigating allegedly malicious domains using shared domains and sub-zones of the domain name system. One of the easier methods for doing this is to look at the records for a particular domain and then pivot to various pieces of that domain’s infrastructure.One of those pieces is the nameserver. Once a malicious domain is identified, there is a decent likelihood that other malicious domains share some sort of infrastructure with the original domain, such as the nameserver.
With the Super Bowl just around the corner, many people are likely to start placing bets. In an attempt to take advantage of some common terms in the sports betting world, a domain called “nfl-barclaycard.com” has appeared.
What is interesting about this DNS entry is that it is registered in the United States, but both name servers are on “.ru” top-level domains. Using Digital Stakeout’s pivot search feature, we can see that one of those name servers carries several domains that appear to be domain squatting entries: