Take Control, Let's Talk Cyber Defense!

Data Driven Strategy - DNS Security Analysis

DNS logs contain a wealth of information that can help identify malicious activity in your network. It can also be directly used to build a data-driven cyber security strategy for network perimeter security. In this post, we'll explore some DNS attributes security analysts use to detect threats like Domain Generation Algorithms (DGAs), DNS tunneling, and other malicious activities. We then outline how you can use the data for your cyber strategy.

1/11/20255 min read

Core DNS Attributes

Security teams should collect the following five fundamental attributes when performing DNS analysis:

  • Timestamp: When each DNS query happens the record is made. The use of temporal data makes it possible to detect patterns and bursts of activity as well as time-based anomalies.

  • Source IP: The IP address from which the DNS query originates. Tracking query patterns per host and identifying potentially compromised systems becomes possible through this attribute.

  • Query Domain: The domain name targeted in the query. Security analysis is often most relevant here since domain activity tends to reveal malicious incidents.

  • Query Type: The form of DNS record being asked for (A, AAAA, MX, TXT, CNAME, etc.). Different types of malicious activity shows distinct patterns in query types through which they can be identified.

  • Response Code: The status through which the DNS server responds (NOERROR, NXDOMAIN, SERVFAIL, etc.). Certain malicious activities produce noticeable peaks in specific response code rates.

Derived Attributes

Core attributes create foundations which derived attributes expand for more detailed understanding. Here's what we can calculate from the core data.

Domain-Based Attributes

We analyze the query domain to extract these attributes:

  • Subdomain length and complexity: The analysis assesses both the length and complexity of the subdomains.

  • Top Level Domain (TLD) patterns: The examination determines patterns common among Top Level Domains.

  • Domain structure (number and length of parts): The analysis evaluates both the number of parts in domain structures and their respective lengths.

You can derive these attributes through the character composition analysis which provides information about vowel and consonant ratios as well as number and special character distribution.

Organizations should employ these attributes to detect Domain Generation Algorithms (DGAs) because these tools produce domains with atypical characteristics.

Query Pattern Attributes

Malicious activity usually has a different traffic pattern from legitimate use. We can build data analytics tools based on the query rates (per IP address and domain), number of unique client IP addresses querying each domain, diversity of query times and error response rates (i.e., number of queries for non-existent domain names).

These patterns help identify command-and-control traffic, DNS tunneling, and other malicious communications.

Time-Based Attributes

Temporal analysis represents another aspect of attackers' behaviour and can be used to build an additional "behavioural pattern plane" to discover anomalies and potential attacks. Data points here include:

  • Time intervals between queries

  • Hourly query patterns

  • Burst detection

  • Sequential query patterns

Unusual timing often indicates automated malicious activity, as legitimate user traffic tends to follow more natural patterns.

Practical Applications

The traffic attributes, as described above, can be used for traditional, ML, or AI-based processing that provides for a powerful detection system. Let me name a few aspects with interesting insights into your company threat landscape.

  • A domain with high entropy, queried at regular intervals from a single IP, might indicate DGA (domain generation algorithm) activity - in other words, attackers try to "brute force" or guess your domains and build a replica of your DNS zone data for future attacks.

  • Multiple query types for the same domain with large response sizes could suggest DNS tunneling.

  • Rapid sequential queries across multiple subdomains might indicate scanning or enumeration attempts

Best Practices for Collection

To make the most of DNS analysis, consider these best practices:

  1. Collect core attributes consistently - some products can provide detailed logs. DNS in public cloud platforms can log queries that can be asynchronously fed into analytics engines.

  2. Maintain sufficient historical data for pattern analysis - whilst this can work for companies with smaller DNS traffic, you may need to consolidate raw data into more compact data sets.

  3. Maintain accurate time stamps throughout the entire infrastructure.

  4. Some more context would be great to collect, such as geographic location or network segment. IP addresses or /24 for IPv4 or /48 for IPv6.

  5. All data should be stored in a format that allows for fast querying, look-up, and analysis.

Information Use

DNS attributes offer powerful lenses through which to analyze security. Security teams can create more effective detection systems and better protect their networks against various threats through a comprehensive understanding of both core and derived attributes.

It's important to collect these attributes and understand how they work together with each other, along with what patterns signal bad actors. These DNS attributes serve as the foundation of effective network security monitoring whether you are building a security analytics platform or conducting incident response.

Building Data-Driven Strategy

Let us have a look at how you can use the information described above to build an effective and measurable cyber-security strategy for protection of you network perimeter.

1. Threat Landscape Assessment

Landscape assessment can be based on the following indicators:

  • High-Risk Patterns

    • DGA-like domain activity frequency

    • Suspicious query patterns

    • Data exfiltration attempts

  • Infrastructure Vulnerabilities

    • Exposed services through DNS

    • Misconfigured DNS servers

    • Unauthorized DNS resolvers

These should be used to create a priority matrix to reflect your perception of external threats against your company networks.

2. Strategic Response Framework

Your response framework will inform planning of changes of the structure and runbooks / SOPs of your threat response team(s). It should have three levels based on timeframe: immediate, medium-term, and long-term.

We assume that you have already in place a team and escalation paths for security incidents. This is necessary for assignment of the actions and their completion.

Immediate Actions (0-30 days)

DNS Traffic Control - here are 3 examples of what may be your short-term actions.

  • Implement DNS filtering for detected DGA patterns

  • Block outbound DNS requests to unauthorized resolvers

  • Deploy DNS response policy zones (RPZ) - lists of IP ranges that are known to be either malicious and/or with negligible value to your business.

Monitoring Enhancements

  • Deploy real-time DNS analytics

  • Set up alerts for identified threat patterns

  • Establish baseline for normal DNS behaviour

Incident Response Updates

  • Update playbooks with new DNS threat patterns

  • Train team on new detection methods and/or how to use new alerting sources, integrate those into your information and response flows

  • Establish rapid response precedures for DNS-based attacks

Medium-Term Initiatives (30-90 days)

The goal of medium-term tasks is to formalize the new procedures and security requirements. The main aspect of these initiatives are policy and standard updates, infrastructure hardening, automation of processes requiring fast reaction time and/or repeatability for infrastructure changes and development.

Infrastructure Hardening

  • Deploy DNSSEC

  • Deploy DNS over HTTPS (DoH)

  • Enhance reliability of DNS systems and security configurations

Policy Development

  • Create DNS usage policies

  • Establish domain registration procedures

  • Define acceptable DNS query patterns

Automation Development

  • Build automated response workflows

  • Develop custom DNS analysis tools

  • Create threat hunting scripts

Long-Term Strategy (90+ days)

You can define future-proofing of your new processes and attack protection processes.

Advanced Analytics

  • Machine Learning or AI detection of DNS pattern analysis

  • Predictive threat modeling

  • Behavioural analysis implementation

Infrastructure Evolution

  • Machine Learning or AI detection of DNS pattern analysis

  • Zero trust DNS architecture

  • DNS security mesh deployment

  • Global DNS load balancing

3. Key Performance Indicators (KPI)

KPIs must contain at least two main aspects: operational metrics and security metrics.

Operational metrics may include:

  • DNS system availability and load

  • query resolution time

  • errors

Security metrics should reflect your new behaviour information and alerting

  • time to detect DNS-based threats

  • false positive rate for attacks (i.e., impact on legitimate users)

  • blocked malicious domains

Other aspects of the new strategy must include resource planning, budget allocation, risk management, mitigation strategies, and long-term continuous improvement.

You should always define success criteria to report the effect of the new strategy across your company.

Insights

One Shield, One Vision, Your Focus

Transforming security data into actionable information.

CONTACT

Connect

hallo@axonshield.com

© AXON Shield, 2025. All rights reserved.