I continue to believe that monitoring outbound DNS queries is one of the most important and fruitful techniques a company can employ against malware.
It’s true that these IPs are fast-fluxing, but what if those domains were unreachable?
What if your company doesn’t allow DNS queries to domains that are less than a certain age?
What if all these super-fast queries lit up like a forest fire and made it extremely obvious that something was infected with malware?
If you have good DNS hygiene that’s precisely what should happen with malware like this (and most other kinds as well).
Make sure only your DNS servers can speak DNS to the Internet
Inspect every DNS query
Run them through one or more engines that filter for maliciousness (dangerous hostnames, tunneling, etc.)
Block the bad requests
Pay special attention to hosts that are making abnormal DNS queries
If you have a properly administered network, your hosts should have your internal DNS servers as the only source of DNS. And if they’re interacting with any other DNS server (or trying to) that should raise immediate interest.
On a tight network, a DNS query that goes anywhere but to your internal DNS server should be treated as a serious problem. It’s either a configuration error, or something trying to call home.
If it’s the former, get it fixed so it’s not messing up your detection capabilities. And if it’s the later, you now know about some potential malware that you didn’t before.
DNS is an endless treasure of security information. Lock it down and harvest it.