I love PowerShell – what can’t it do? A friend of mine referred me to this article on how to monitor DNS requests with PowerShell, so of course I needed to investigate. Traditionally, Sysmon is the go-to for monitoring Windows hosts, but as Mr. Vassallo points out, this solution relies on reverse DNS lookups for IP address translation.
Ok let’s back up. DNS monitoring is important because it provides valuable information during an incident response investigation. The hostname-IP address mappings help to characterize traffic observations, and the server’s IP address can be useful to identify clients that make direct requests to servers outside the environment. For threat intelligence, DNS logging can be used to flag heavy query activity for newly-registered domains or identifying a newly-observed domain.
The problem with reverse DNS is that the owner of the IP address is in charge of reverse DNS, not the owner of the domain the IP resolves to. Anybody who has control over reverse DNS for an IP address block can make the address reverse resolve to “kdahl.io” (or localhost).
If you are using reverse DNS, then you also need to be aware that whoever operates the authoritative name server for that IP address will learn of your requests. And don’t forget to make sure that you sanitize and properly encode reverse DNS results before using them – never ever treat them as trusted.