TL;DR
Yes! Several tools can help you find dodgy DNS records that might indicate a cyber security problem, like malware or phishing. This guide shows you how to use them – from simple online checkers to more advanced command-line options.
Detecting Bad DNS Results: A Step-by-Step Guide
- Understand What You’re Looking For
- Incorrect Records: Records pointing to the wrong IP address.
- Unexpected Records: Records for domains you don’t recognise associated with your infrastructure.
- Typosquatting: Domains that are very similar to legitimate ones (e.g., paypa1.com instead of paypal.com).
- DNS Hijacking: When a domain’s DNS records have been altered without permission, redirecting users to malicious sites.
- Online DNS Lookup Tools (Quick Checks)
- MXToolbox: https://mxtoolbox.com – A comprehensive suite of tools, including DNS lookup, blacklist checks and more. Good for a general overview.
# No command needed - use the website interface - DNS Checker: https://dnschecker.org – Checks DNS records from multiple locations worldwide, useful to identify propagation issues or regional discrepancies.
# No command needed - use the website interface - VirusTotal: https://www.virustotal.com – While primarily a malware scanner, VirusTotal also provides DNS information and can flag domains associated with malicious activity.
# No command needed - use the website interface - Command-Line Tools (More Control)
- nslookup: A basic tool available on most operating systems. Useful for querying specific DNS records.
nslookup example.comnslookup -type=MX example.com # Check MX records specifically - dig: A more advanced tool, often preferred by cyber security professionals. Provides detailed DNS information.
dig example.comdig +trace example.com # Trace the DNS resolution path - host: Another command-line tool for performing DNS lookups.
host example.com - Automated Scanning with dnscap (Advanced)
- dnscap: A passive DNS sniffer that captures DNS queries and responses on your network. Requires a bit more setup but provides real-time visibility.
# Install dnscap - instructions vary by OS, see https://github.com/iijigen/dnscap# Run dnscap to capture DNS traffic and analyse it in Wireshark or similar tool. - Check Blacklists
- Use tools like MXToolbox (mentioned above) or dedicated blacklist checking websites to see if your domains are listed on any known spam or malware blacklists.
# No command needed - use the website interface of MXToolbox or similar. - Monitor DNS Changes
- Consider using a DNS monitoring service that alerts you to any changes in your DNS records. This can help you quickly detect and respond to potential hijacking attempts.
# Many DNS providers offer change notification features. Check your provider's documentation. - Investigate Suspicious Results
- If you find unexpected or incorrect records, investigate further:
- Check the domain registrar settings to ensure they haven’t been compromised.
- Contact your DNS provider for assistance.
- Scan the associated IP addresses with a malware scanner.