The Value of DNS Response Data

BY Rebekah Taylor

What if you asked a question and received nothing in response?

As in, “Hey John, can I get you something from the café?” Or, “What time does that meeting start?” And in return you get … total silence.

How useful would that be? Sure, there’s some value in knowing what your question was, but you’re asking it to get an answer. The answer is the most important part—it gives you additional information that you need so that you can proceed with your task at hand.

In the realm of DNS, we have traditionally cared just about questions. But logging a DNS question only tells a fraction of the story. With BlueCat DNS Edge, we’ve changed the paradigm by logging responses to those queries as well. By doing so, we’re uncovering a wealth of information for our customers about what’s happening on their networks and helping them to generate more precise policies.

Why DNS response data matters

Typically, when your computer makes a DNS query, the DNS server receives and logs the question. It reaches out to wherever it needs to get that data from, and sends the response back to your computer. The response data isn't recorded. But with DNS Edge, DNS queries and responses are logged together.  Both pieces of information are reported.

What’s the value in capturing all this response data?

Suppose a hacker wants to redirect everybody who goes to to their phishing site. If you’re only logging the outbound queries, everything would appear to be perfectly fine. There would be no way to identify that the answer is pointing users to a bad site.

Only the DNS response shows us what’s actually going on, and gives us the power to apply some intelligence to that process.  By incorporating DNS response data into its workflow, DNS Edge asks:  Where is this DNS query resolving to? Why does the response not match the query data?  Who is redirecting this query?

Using DNS response data for security

Looking at DNS response data kind of seems like a no-brainer, yet it is surprisingly rare. Until recently, most enterprises were only blocking bad DNS questions, while ignoring response data completely. But with hacked DNS servers, DNS tunneling, and 91 percent of malware using DNS in attacks, it is increasingly clear that response data may contain even more value than the outbound query.

Response data also helps IT staff create more informed and precise policies. URLs usually resolve to aliases — usually cryptic combinations of letters and numbers, but sometimes domain names that are designed to look similar to a real site.  If hackers are able to mask their scheme by looking like a “good” address, blocking answers—not questions—becomes extremely important. In cases like these, the question may not be malicious.  The answer is. Using traditional DNS tools, that level of monitoring would be skipped.

When DNS Edge logs response data, you get visibility into the entire lifecycle of a DNS query – a powerful tool for cybersecurity professionals on the front line.  Learn more about DNS Edge here.

Rebekah Taylor

Rebekah Taylor is a freelance writer and editor who has been translating technical speak into prose for more than 18 years. Before BlueCat, she spent eight years doing communication work as a contractor for the U.S. Coast Guard in Washington, D.C., and was previously a journalist, reporting stories for a daily county newspaper and defense industry publication. Her first job in the early 2000’s was at a small Palo Alto start-up called VMware. She holds degrees from Cornell University and Columbia University’s Graduate School of Journalism.

View more articles by Rebekah Taylor