simonemainardi
commented
3 years ago Which cache do you have in mind? Please, explain, and attach an example if possible. Thanks.
Open martinscheu opened 3 years ago
simonemainardi
commented
3 years ago Which cache do you have in mind? Please, explain, and attach an example if possible. Thanks.
martinscheu
commented
3 years ago Hi Simone, I have DNS cache hit rate in mind. Client asks DNS server, if response is already in cache is one number, if DNS is forwarding the request, another number. Over time, a client with high number of forwarded DNS requests is suspicious. Obviously DNS server needs to be within the network and to / from needs to be monitored. Actually I am not sure how feasible it is. Thanks.
martinscheu
commented
3 years ago depends the network setup, but in small or home networks it would work, as typically the DNS server has on IP address, so I can monitor DNS server in / out requests. Can use the Unexpected DNS Check to figure out used DNS Servers.
Hello DGA detection / DNS data exfiltration is difficult to detect. An indicator of malicious activity is to check the host cache hit rate. If a host is asking a lot of names which are not in the cache, it is suspicious. Thank you. Regards, Martin