One of the first things I do when I go into a new company as a consultant is ask 1) where their list of assets is, and 2) if they are capturing, monitoring, and responding to outbound DNS queries.
It’s surprising how much information just these two things can tell you about the security readiness of an organization.
This tool here, the Turing Tool, is one of what will soon be many hooks into DNS query data for the purpose of finding malware and malicious actors on the internal network.
As I talked about in my RSA trends post >, the new paradigm will soon be single capture and multi read, meaning that DNS data will be part of companies’ security data lakes, and they’ll be able to let various vendors have spigots that can dip in and drink from it to feed their particular algorithm.
Outbound DNS, folks. That’s where it’s at.
One word of caution, or of note: make sure you only have one way out for DNS, and that this is where you’re doing your filtering. Make sure you aren’t resolving names in multiple places, with multiple egress routes. One egress, and monitor / defend that one.