Managed Sentinel – Alert 036

Alert IDMS-A036
Alert NameExternal DNS Server used by an internal host
DescriptionTypically in any organizations, there is an internal DNS server used for all internal hosts. Direct client access to Internet DNS servers, rather than controlled access through enterprise DNS servers, can expose an organization to unnecessary security risks and system inefficiencies.
Whitelist the public DNS servers, such as Google and OpenDNS
Severity LevelInformational
Threat IndicatorImproper Usage
MITRE ATT&CK TacticsLateral Movement
Command and Control
Log sourcesFirewall Traffic Logs
False PositivesValid software, which uses DNS for transferring data.
Mobile devices.
RecommendationsReview internal system and identify any suspicious applications or processes running on it. Perform a full AV/AM scan on the targeted machine.
For organizations, that use internal DNS servers, perimeter firewall will detect the spike being initiated from the internal DNS server. Additional review of the DNS servers events may be required to identified the source machine generating the high volume of DNS traffic.