Perception Update - Unusual DNS Behaviours Classification

A new classifier specifically targeted at identifying the misuse of DNS (port 53) traffic.

DNS is an overlooked attack vector as typically few security tools check the content of DNS packets. The use of DNS as a vector for exfiltration of data is an emerging threat behaviour that is likely to be used more often in advanced malware.

Detecting exfiltration regardless of the technique is always one of the hardest tasks for Network Monitoring systems.  It’s hugely important that these systems stay as far ahead of threat actors as possible, and theorising novel ways of exfiltration then building methods of identifying them is part of Perception Labs’ day-to-day job.

The relative lack of scrutiny over DNS traffic on port 53 by perimeter security systems gives attackers a theoretical method of exfiltration that, although massively restrictive, is unlikely to be detected or blocked by traditional security systems.  This latest update protects against this misuse of the DNS protocol to ensure that any non-legitimate traffic is identified and shown to the analyst.

Other misuses of the DNS protocol are, by proxy, also protected against by the new update; this includes set up of CnC channels over DNS.

This update is sensor based, and will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own sensors using the software upgrade process.  If you have any further questions about this upgrade please contact us at