Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Amazon Route53 DNS Query Resolver

Amazon Route53 DNS Query Resolver
Amazon Route53 DNS Query Resolver icon

Coralogix Extension For Amazon Route53 DNS Query Resolver Includes:

Alerts - 11

Stay on top of Amazon Route53 DNS Query Resolver key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

AWS Route53 DNS Query - High Number of NXDOMAIN Responses Returned

This alert triggers when a high number of NXDOMAIN response code is returned as a result of DNS queries made. NXDOMAIN response code indicates that the queried domain is non-existent. Impact A high number of NXDOMAIN responses by DNS servers is can be an indication of a DGA (Domain Generation Algorithms) activity. Mitigation Investigate the source hosts involved in querying the domains which resulted in a high number of NXDOMAIN responses. Please see the below link for more detail: https://bluecatnetworks.com/blog/what-you-can-learn-from-an-nxdomain-response/ Mitre Tactic: TA0011 Mitre Technique: T1568 Mitre Sub-Technique: 002

AWS Route53 DNS Query - DNS Activity on TCP Detected

This alert triggers when a DNS query is transmitted over TCP protocol rather than UDP protocol. Impact DNS requests over TCP are usually used for either DNS zone transfer or for transferring large quantities of data using the DNS protocol. Both can be an indication of malicious activity. Mitigation Investigate the source hosts involved in those queries by using audit logs from these machines as this activity could be an indication of data exfiltration. Please see the below link for more detail: https://www.akamai.com/blog/news/introduction-to-dns-data-exfiltration Mitre Tactic: TA0010 Mitre Technique: T1048

AWS Route53 DNS Query - Excessive REFUSED Response Code Returned

This alert triggers when a high number of REFUSED response code is returned as a result of DNS queries made. REFUSED response code indicates that the DNS query failed because the server refused to answer the query. This could be due to policy reasons. Impact A high number of REFUSED responses by DNS servers could be due to policy reasons. For example, a particular device may be blocked if it is abusing the nameserver, or a particular operation, such as a zone transfer, might be forbidden. A zone transfer is a way of replicating DNS configuration information across multiple DNS servers for load balancing or backup. Usually, only an authorized person can complete a zone transfer. If a user tries to initiate one but they're not authorized, then this would be the response code they would get. Mitigation Investigate the source hosts involved in querying the domains which resulted in a high number of REFUSED responses. Please see the below link for more detail: https://bluecatnetworks.com/blog/what-you-can-learn-from-an-nxdomain-response/ Mitre Tactic: TA0011 Mitre Technique: T1071 Mitre Sub-Technique: 004

AWS Route53 DNS Query - Suspicious AWS metadata query

This alert triggers when a requested domain resolves to the AWS Metadata IP (169.254.169.254). Impact A threat actor can the domain resolving to AWS metadata IP could to steal your credentials from the AWS metadata service. Mitigation Follow the below steps to mitigate the activity: 1. Determine which instance is associated with the DNS request. 2. Determine whether the domain name which was requested should be permitted. If not, conduct an investigation to find out what requested the domain and check if the AWS metadata credentials were accessed by an attacker. Mitre Tactic: TA0006 Mitre Technique: T1552

AWS Route53 DNS Query - Anomalous Uncommon DNS Record Types Observed

This alert triggers when a high number of DNS queries are seen from a host with uncommon record types such as TXT and NULL. TXT: Indicates a Text record. These records are often used for email security. NULL: Indicates a null resource record. Impact Threat actors may utilize less common record types for their C2 channels to support different commands or functions. For example, a C2 channel may utilize TXT requests to retrieve additional information, malware, or commands to execute. Mitigation Investigate the hosts querying the domains with a high number of these uncommon record types. Mitre Tactic: TA0011 Mitre Technique: T1071 Mitre Sub-Technique: 004

AWS Route53 DNS Query - Suspicious Top Level Domain (TLD) Queried

This alert triggers whenever a requested domain has a suspicious top-level domain (TLD). A top-level domain is one of the domains at the highest level in the hierarchical Domain Name System of the Internet after the root domain. The top-level domain names are installed in the root zone of the namespace. This alert is based on Spamhaus's most abused top-level domains list. Impact Threat actors may register domains with these TLDs mentioned above at a lesser price and carry out phishing activities. Mitigation Please follow the below steps to mitigate this activity: 1. Determine which instance is associated with the DNS request. 2. Determine whether the domain name which was requested should be permitted. If not, investigate further. Mitre Tactic: TA0011 Mitre Technique: T1071 Mitre Sub-Technique: 004

AWS Route53 DNS Query - Paste Sites Queried

This alert triggers when a DNS query to any paste site like Pastebin is made. A paste site is a platform where users can store and share text-based information, such as code snippets, notes, or any other text content. It's a convenient way to share information quickly and easily with others. Impact Attackers can misuse paste sites to their advantage. They might use them to anonymously distribute malicious code, share stolen data, or spread harmful content. This can potentially lead to cyber-attacks, data breaches, or other malicious activities. Mitigation Check if the DNS query is legitimate and if the user is authorized to query such domains as per the company policy. If not, investigate further. Mitre Tactic: TA0010 Mitre Technique: T1567 Mitre Sub-Technique: 003

AWS Route53 DNS Query - Suspicious DNS queries to Monero mining pools

This alert triggers whenever a DNS query is made to a Monero mining pool. Impact Threat actors can deploy crypto-mining malware on the infected machines and then start mining cryptocurrencies. This can tremendously increase the bills of an organization and exhaust its resources resulting in the disruption of normal business operations. Mitigation Check if the DNS query made to a crypto miner is legitimate or not. If not, investigate further for malicious activities in the network and the endpoint. Mitre Tactic: TA0040 Mitre Technique: T1496

AWS Route53 DNS Query - Suspicious Query with Base64 Encoded String

This alert triggers whenever a DNS query is made to a domain name which is a base64 encoded string. Impact Base64 encoded string domains are often used by attackers as a technique to obfuscate their malicious activities. When it comes to DNS queries involving such domains, there can be a few potential impacts: 1. Difficulty in identification: The use of base64 encoding makes it harder for security systems to identify and categorize the domain as malicious. This can allow the attacker to bypass some security measures that rely on domain blacklisting or reputation-based filtering. 2. Concealing command and control (C2) communications: Attackers may use base64 encoded domain names to establish communication channels with compromised systems. This can make it more challenging for network administrators to detect or block these malicious activities, as the encoded domain names may appear benign at first glance. Mitigation In case of a DNS query to a domain with base64 encoded string, check with the user if it was a legitimate query or some spelling mistakes. If the user is not aware, investigate further for any malicious activities. Mitre Tactic: TA0010 Mitre Technique: T1048 Mitre Sub-Technique: 003

AWS Route53 DNS Query - Kubernetes DNS Enumeration

This alert triggers whenever a DNS query is made to 'any.any.svc.cluster.local' that returns all Service DNS records and the corresponding IP. Impact A threat actor can make this DNS query as part of their discovery and enumeration actions after gaining initial access to a network. Mitigation Validate if the user is aware of this DNS query and if they have rights to access this information. If not, investigate further to check if any of the targets of the enumeration have additional discovery performed. Mitre Tactic: TA0043 Mitre Technique: T1590 Mitre Sub-Technique: 002

AWS Route53 DNS Query - No Logs From AWS Route53 DNS Query

'Summary This rule detects if there are no logs for AWS Route53 DNS Query in the customer account. Note- This alert should configured with relevant app & subsystem. Define timeframes/conditions that directly align with business objectives. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562'

Integration

Learn more about Coralogix's out-of-the-box integration with Amazon Route53 DNS Query Resolver in our documentation.

Read More
Schedule Demo