DNS records that indicate hacking activity and other unwanted behavior can be inferred via a few ways.
- A large number of subdomains that don't resolve to A records.
- These are sometimes DNS tunnels. No A record exists because ultimately the attackers don’t care about receiving an A record, but something else (like a TXT record that forms part of a malicious code string).
- Excessive amount of new DNS records you don’t recognize
- Self explanatory
- Lots of Reverse DNS records when the organization does not typically use RDNS
- IOC for Asia-based hacking groups
- Frequent switching of A records (more than once a month) of A records when nothing technical calls for this being done (like using Load Balancers, a CDN, etc)
- IPs are being blacklisted so the domain is switching constantly to avoid these lists
- Name server alterations or unrecognized name servers
- TXT records that seem to serve no purpose. TXT records that take up all 255 bytes allocated
- See point #1
- Multiple A records for the same domain that aren’t part of a load balancing or geo balancing scheme
- Assuming a domain has 4 IP records, and one of them is unrecognized, this allows 25% of all domains served via DNS to contain malware. This leads to a lower probability of being detected
Other malicious IOCs to note that are typically overlooked:
- Large amount of 307 and 407 HTTP status code responses in IP space
- This is not technically a DNS feature but is an indicator of compromise that Asia-based hackers leave. 307 and 407 http status codes, used for web proxies, are vastly more popular in Asia, where the web was deployed later (China did provide civilian internet access until 1994).
- Use of very outdated TLS or SSH versions.
- These are not typically deployed in the West.
- When these are deployed on security devices it is even more suspicious.
Later screenshots will be added to this post along with a healthy amount of citations from Dr. Paul Vixie, and his very incredible company, FarSight.