Analysing Domain Name Server (DNS) Requests

The Internet protocol use two type of tags for each device connected to the Internet. IP adresses (e.g. 137.138.16.5) are the machine-readable representations, but hardly comprehensive for humans. Therefore, each device has also a hostname. The Domain Name Server (DNS) translate between IP addresses and hostnames. At CERN, these are maintained and managed by the CERN/IT network group.

Everytime, an Internet connection needs to be made by a device, this is quering the DNS in order to resolve the target hostname into an IP address. Therefore, these DNS requests for address resolution provides two important security mechanisms:

  • Detecting "malicious" hostnames: The Security Team monitors permanently all DNS requests and compares them with a well-defined list of known malicious hostnames. Requests using a malicious hostname indicate a security event with the requesting device, e.g. the device might be infected by the "Conficker"-worm which is trying to "phone home";
  • Blocking access to "malicious" hostnames: Under certain circumstances, the Security Team might decide to proactively block the resolution of certain (malicious) hostnames. Thus, these domains cannot be reached anymore unless its IP address is expliclity used. Unusally, this mechanism is used to prevent access to malicious Web sites usind in "Phishing" emails.