Managed Sentinel – Alert 036

Alert IDMS-A036
Alert Name Internal hosts using unsanctioned DNS servers (Cisco ASA)
DescriptionTypically in any organizations, there is an internal DNS server used for all internal hosts. Direct client access to Internet DNS servers, rather than controlled access through enterprise DNS servers, can expose an organization to unnecessary security risks and system inefficiencies.
Whitelist the public DNS servers, such as Google and OpenDNS. Customer to provide a list of sanctioned DNS server(s) used by internal systems.
Severity LevelMedium
Threat IndicatorImproper Usage
MITRE ATT&CK TacticsPersistence
Command and Control
Exfiltration
Log sourcesFirewall Traffic Logs
False PositivesValid software, which uses DNS for transferring data.
Personal mobile devices used within corporate WIFI network.
Recommendations1. Review internal system and identify any suspicious applications or processes running on it.
2. Perform a full EDR scan on the targeted machine.
3. For organizations, that use internal DNS servers, perimeter firewall will detect the spike being initiated from the internal DNS server. Additional review of the DNS servers events may be required to identified the source machine generating the high volume of DNS traffic.
4. Review perimeter firewall logs and understand the type of DNS requests sent out
5. Select the external DNS servers listed in this alert and match this with DNS Threat Intelligence lists