Who's afraid of DNS? Nominet's new 'turing' tool visualises hidden security threats

Powerful analytics tool spots botnets, misconfigurations and even man-in-the-middle

UK domain registry Nominet has shown off a striking new visualisation tool called 'turing' that large organisations can use to peer into their DNS traffic to trace latency issues and spot previously invisible botnets and malware.

In development for four years, and used internally by Nominet for the last two, at core turing is about representing DNS traffic in visual form, allowing administrators to 'see' patterns in real time that would normally be impossible to detect let alone understand.

The company believes there is no other tool on the market that does what turing does, a reflection of the fact that most organisations don't think about the protocol in much detail. If it works then DNS will probably be ignored. The security issues it could give insight into are detected by other and probably less effective technologies.

The system - the term 'platform' is probably more appropriate - has three elements. A collection application 'sniffs' an organisation's DNS data (including advanced metadata) as it traverses the network at up to 250,000 queries per second, sending this to a server that processes the possibly terabytes of data it receives for viewing through a touchscreen, HTML5 browser-based web application.

The top-level visualisation shows a DNS traffic overview of all DNS queries, representing day by dots or varying sizes and colours. Admins can drill down into a day or sequence of days to graph deeper trends that might be cause for concern.

And in most DNS data sets there will always be issues worth looking at in closer detail, if necessary right down to specific IP addresses.

A demo given to Techworld showed how one such issue, Mail Exchange (MX) queries, could be used to spot botnet operators attempting to cleanse their email lists of non-working email addresses by querying email addresses. A negative from the server tells them that the address should be deleted, a process turing notices.

Machines that have been enrolled in botnets can also be detected because of the traffic emanating from them.

"We can start to understand the patterns of botnets and help to clean up people's computers," said Nominet's CTO, Simon McCalla. "We pass this info to Spamhaus and ISPs to do forensics."

"Any enterprise with a large DNS infrastructure will know how difficult it is to understand what is happening with real-time and historic traffic. To build it we had to stop thinking like engineers and start thinking like detectives.

"Up until now, the available network management tools have simply not had the capability to rapidly store and analyse DNS query data in depth. turing changes the game completely," said McCalla.

In addition to botnets, source port analysis can be used to man-in-the-middle attacks; a similar principle could be used, McCalla said, to tease out latency issues from DNS re-query traffic or find machines spewing Domain Generation Algorithm requests.

A large ISP was already using turing, he said.

"What this does is provide another tool to keep the Internet safe. It is an increasingly challenging thing to do. We need cutting edge tools to combat threats."

Pricing depends in the design of s customer's network, the volume of DNS traffic they handle and the terms of the license agreement, possibly a coded way of saying that large organisations will end up paying more than smaller ones. More information can be obtained by emailing turing@nominet.org.uk

Join the CSO newsletter!

Error: Please check your email address.

Tags Nominetsecuritysoftware

More about Mail ExchangeNominet

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place