"Off-Label" use of DNS
DNS is one of the most widely abused protocols that threat actors use to hide traffic. DNS is also actively used, or rather misused, by other service providers, vendors, etc., to provide enhanced services. An in-depth examination of DNS logs revealed several very interesting legitimate use cases of the DNS protocol, apart from the usual name resolution service function. We coined the term ?Off-label? use of DNS to represent those use cases. Legitimate here simply means using DNS for non-malicious purposes other than what it was traditionally designed for, providing domain name resolution; a dictionary service mapping domain names to corresponding IP addresses. One of the main reasons DNS is used, or possibly misused, for these off-label use cases is data transfer speed and reduced overhead. These use cases can often reveal important information about the clients and software they are running and can be leveraged by network security analysts to improve their defense of the network. This research will detail some of those legitimate off-label use cases and how analysts can use them to detect malware trends in the network and much more just by analyzing an enterprise?s DNS logs.