Tweet
SOC Research
DNS Records Functionality and Abuses: PTR & NS Explained
Understanding how PTR (Pointer Records) and NS (Name Server Records) work is essential in threat hunting and detecting DNS-based attacks. Below, we cover their normal functions and how they are abused by attackers.
🔹 PTR Records (Pointer Records)
Normal Functionality:
PTR records perform reverse DNS lookups—translating IP addresses back to hostnames. Key use cases:
• Email Validation: Mail servers verify if the IP matches the hostname to reduce spam.
• Log Readability: Converts IPs to hostnames for easier interpretation.
• Security Policies: Used in access control for validating trusted sources.
Abuse via PTR Query Spikes:
1. DNS Reflection/Amplification Attacks:
• Attackers send spoofed PTR queries to open DNS resolvers, causing large responses to flood the victim’s IP.
• These are used to amplify DDoS attacks.
Indicators:
• Sudden increase in inbound UDP port 53 traffic.
• No matching outbound queries.
• Traffic contains large PTR responses.
2. Reconnaissance/Scanning:
• Mass reverse lookups to identify hostnames in a target network—often a precursor to targeted attacks.
---
🔹 NS Records (Name Server Records)
Normal Functionality:
NS records define authoritative DNS servers for a domain. They direct where to look for a domain’s A, MX, TXT records, etc.
Abuse via NS Query Spikes:
1. DNS Amplification Attacks:
• Similar to PTR attacks—spoofed queries generate large NS responses.
2. DNS Hijacking:
• If attackers change a domain's NS records, they can:
- Redirect traffic to phishing sites
- Intercept emails
- Issue fake SSL certs
Indicators:
• Sudden NS record changes
• High queries to attacker-controlled NS servers
3. Reconnaissance:
• Spike in NS queries from unknown IPs = attacker mapping DNS infrastructure.
4. Dangling Domains:
• Spikes in queries to expired or unregistered domains = attackers preparing for subdomain takeover.
---
🔍 SOC Investigation: Detecting PTR and NS Abuse
A Security Operations Center (SOC) can detect abuse through:
• Baseline Monitoring: Know your usual DNS traffic volume.
• DNS Log Analysis:
- Look for sharp increases in PTR/NS queries.
- Unsolicited inbound DNS responses.
• ANY Query Spikes: Sign of amplification attack.
• NetFlow/IPFIX: Identify high UDP port 53 traffic bursts.
• Firewall/IDS Logs: Alerts on excessive or unusual DNS activity.
• Threat Intelligence: Match suspicious IPs to known botnets or attackers.
• Packet Captures (PCAP): Confirm suspicious DNS behavior if data volume allows.
• External DNS Monitoring: Detect unauthorized NS record changes.
---
Conclusion:
Spikes in PTR and NS queries are often signs of DNS-based DDoS or reconnaissance attacks. Monitoring DNS behavior is critical in threat hunting, and your SOC should be equipped to identify and respond to these anomalies quickly.
Stay vigilant — DNS is powerful, but it's also a common attack surface.
​
Understanding how PTR (Pointer Records) and NS (Name Server Records) work is essential in threat hunting and detecting DNS-based attacks. Below, we cover their normal functions and how they are abused by attackers.
🔹 PTR Records (Pointer Records)
Normal Functionality:
PTR records perform reverse DNS lookups—translating IP addresses back to hostnames. Key use cases:
• Email Validation: Mail servers verify if the IP matches the hostname to reduce spam.
• Log Readability: Converts IPs to hostnames for easier interpretation.
• Security Policies: Used in access control for validating trusted sources.
Abuse via PTR Query Spikes:
1. DNS Reflection/Amplification Attacks:
• Attackers send spoofed PTR queries to open DNS resolvers, causing large responses to flood the victim’s IP.
• These are used to amplify DDoS attacks.
Indicators:
• Sudden increase in inbound UDP port 53 traffic.
• No matching outbound queries.
• Traffic contains large PTR responses.
2. Reconnaissance/Scanning:
• Mass reverse lookups to identify hostnames in a target network—often a precursor to targeted attacks.
---
🔹 NS Records (Name Server Records)
Normal Functionality:
NS records define authoritative DNS servers for a domain. They direct where to look for a domain’s A, MX, TXT records, etc.
Abuse via NS Query Spikes:
1. DNS Amplification Attacks:
• Similar to PTR attacks—spoofed queries generate large NS responses.
2. DNS Hijacking:
• If attackers change a domain's NS records, they can:
- Redirect traffic to phishing sites
- Intercept emails
- Issue fake SSL certs
Indicators:
• Sudden NS record changes
• High queries to attacker-controlled NS servers
3. Reconnaissance:
• Spike in NS queries from unknown IPs = attacker mapping DNS infrastructure.
4. Dangling Domains:
• Spikes in queries to expired or unregistered domains = attackers preparing for subdomain takeover.
---
🔍 SOC Investigation: Detecting PTR and NS Abuse
A Security Operations Center (SOC) can detect abuse through:
• Baseline Monitoring: Know your usual DNS traffic volume.
• DNS Log Analysis:
- Look for sharp increases in PTR/NS queries.
- Unsolicited inbound DNS responses.
• ANY Query Spikes: Sign of amplification attack.
• NetFlow/IPFIX: Identify high UDP port 53 traffic bursts.
• Firewall/IDS Logs: Alerts on excessive or unusual DNS activity.
• Threat Intelligence: Match suspicious IPs to known botnets or attackers.
• Packet Captures (PCAP): Confirm suspicious DNS behavior if data volume allows.
• External DNS Monitoring: Detect unauthorized NS record changes.
---
Conclusion:
Spikes in PTR and NS queries are often signs of DNS-based DDoS or reconnaissance attacks. Monitoring DNS behavior is critical in threat hunting, and your SOC should be equipped to identify and respond to these anomalies quickly.
Stay vigilant — DNS is powerful, but it's also a common attack surface.
​
Comment