How to use DNS trap

DNS Trap Guide

How to use DNS Trap feaute on your antibot solution.

Why do you need DNS Trap

Many antibot solutions monitors DNS traffic. They analyze DNS requests and compare them with known malware domain list. If matched, request will be blocked. We can have a problem, when we have our own DNS server inside LAN network.
When infected, network security device will report that bad domain is being requested. In most cases they will report that DNS server is controled by malware, but this is not true. NIDS will see only source of DNS request, which is company DNS server. It can be very difficult to discover original source.
Solution for this situation, is not to block malware domain DNS request. It's better to redirect it to our own server.

What to do

1. Create honey server. Place it behind firewall. This server should at least serve some info page f.e. You are infected please contact security team
2. Create DNS trap and point all unwanted DNS requests do honey server
3. Create firewall rule. Source: LAN networks, Destination: Honey Server, Service: Any
4. Monitor this rule hit count and anlyze logs from this rule

How does it work

1. Infected station tries to resolve C&C; IP address using domain name
2. Request is sent to corporate DNS server
3. Request is forwarded to ISP DNS server
4. Antibot solution detects unwanted request and modifies response. Honey server IP will be placed in response
5. Antibot solution respond to DNS server with honey IP address
6. Corporate will send back honey IP address to infected station
7. Infected station will try to conntact honey server
8. Our new rule will be hitted and log generated.
9. You will find infected station IP in source field