"DNS is a very good early warning system," says Liu. "You can pretty much at this point assume you have infected devices on your network. DNS is a good place to set up little tripwires, so when malware and other malicious software gets on your network, you can easily detect its presence and its activity, and you can do some things to minimize the damage it does." You could even see how widespread the infection is, by looking for similar patterns of behaviour.
Services like OpenDNS and Infoblox can also look across more than your network. "It's easy to build a baseline of what normal looks like and do anomaly detection", says Ulevitch. "Suppose you're an oil and gas business in Texas and a new domain name pops up in China pointing to an IP address in Europe, and no other oil company is looking at this domain. Why should you be the guinea pig?"
You also need to monitor how common addresses are resolved on your network hackers can try to send links to sites like Paypal to their own malicious sites and where your external domain points to. When Tesla's website was recently redirected to a spoof page put up by hackers, who also took control of the company's Twitter account (and used it to flood a small computer repair store in Illinois with calls from people they'd fooled into believing they'd won free cars), the attackers also changed the name servers used to resolve the domain name. Monitoring their DNS might have given Tesla a heads-up that something was wrong before users started tweeting pictures of the hacked site.
At the very least, remember that DNS underpins all your online services, Ulevitch points out. "The bar is very low for improving DNS. Usually, DNS is seen as a cost enter; people don't invest in reliable enough infrastructure or high enough performance equipment so it's hard to cope with a high volume of transactions."
That doesn't only matter if you're targeted by a DNS attack. "Organizations should look at DNS performance because it will have a material impact on everything you do online. Every time you send an email or open an app you're doing DNS requests. These days, web pages are very complex and it's not uncommon to have more than 10 DNS requests to load a page. That can be a whole extra second or more, just to handle the DNS components of loading a page."
Tracking business behavior
Monitoring DNS can also give you a lot of information about what's going on across your business far beyond the network. "We live in a world where the network perimeter is becoming ephemeral and where services are easy to adopt," Ulevitch points out. "A marketing executive can sign up to Salesforce; if you're looking at the DNS you can see that. You can see how many employees are using Facebook. You can see devices showing up in your network, whether it's because they're checking a licence or doing data exfiltration. If you have a hundred offices, you can still see who is connecting devices."
Sign up for CIO Asia eNewsletters.