Auditing IP Resolution with DNS Checks

How would you know if your DNS account had been compromised?  If tampered with, an attacker could point your web and email traffic to their own controlled servers, enabling them to intercept potentially confidential information from you or your customers without your knowledge.

Emergency Directive 19-01

Recently, the US Department of Homeland Security issued its first ever Emergency Directive with a list of actions to mitigate DNS account tampering, an issue they report is on the raise.

The first recommended actions in their directive is to verify DNS resolution.

Action One: Audit DNS Records … audit public DNS records on all authoritative and secondary DNS servers to verify they resolve to the intended location.

In this post, I’ll show you how to continually monitor your DNS resolution using NodePing DNS checks to ensure your important domain names are resolving to the expected IP addresses. If anyone tamplers with your DNS records, you’ll quickly receive actionable notifications from NodePing.

Some of the record types you may want to verify with DNS checks are:

  • SOA – Start of Authority record
  • NS – Nameservers and the IPs they resolve to
  • Website FQDN
  • Website FQDN with www prefix (example: http://www.nodeping.com)
  • Email MX records and the IPs they resolve to
  • IMAP, POP, and SMTP FQDNs
  • FTP service FQDNs
  • All the above services for both IPv4 and IPv6 addresses

Setting up DNS monitoring

To create a new DNS check, click on the “Add new check” button in your NodePing account dashboard.

  1. Select DNS from the Check type drop down.
  2. Give it a friendly label to identify this check in lists and notifications.  Something like “Website resolver”
  3. Set how often you want the check to run on the Check Frequency field.  We recommend 1 minute intervals.
  4. Leave the DNS server field blank.  This will ensure that our probes will use whatever nameservers are listed on the domain.  If a hijacker accesses your DNS account , they’ll likely change the IPs of the nameservers so testing your own nameservers won’t be helpful for this type of monitoring.
  5. Enter the type of query you want to perform, and address you want the check to look up. Usually this should be a fully qualified domain name. It should not include “http://” or “https://”. Example : ‘nodeping.com’ or ’email.nodeping.com’ or ‘www.nodeping.com’
  6. Enter the information the check should look for in the DNS resolution response to verify the query has not been tampered with. What you put in this field will depend on the query type. For example, for A records, this will be your IPv4 address. For other types, such as MX or NS records, this is likely to be a fully qualified domain name. For AAAA records, the full notation is required. Example: IPv6 address 2606:c700:4020:11::53:4a3b requires the ‘missing’ zero sections – 2606:c700:4020:11:0:0:53:4a3b – there should be 8 sections total.
  7. Set a time out. The default 5 seconds works fine for most situations.
  8. Set the Sensitivity. High is usually appropriate.
  9. Set the notifications for this check. More information about notifications.

If your services are offered on both IPv4 and IPv6, you’ll need to create a separate check for each with the appropriate query type set to ‘A’ for IPv4 and ‘AAAA’ for IPv6.

Setting up one DNS check for every critical server and service will give you the peace of mind that your DNS hasn’t been tampered with and your customers are interacting with you, not some DNS hijacker.

Got questions or need help setting up DNS resolution audit checks?  Contact us; we’re happy to help.

If you don’t yet have a NodePing account, please sign up for our free, 15-day trial and sleep well knowing we’re keeping an eye on your DNS resolution.

About NodePing
Server monitoring for the masses.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: