IT OT Convergence

DNS Monitoring

2 min read

What is DNS Monitoring?

DNS Monitoring is the active inspection and analysis of DNS (Domain Name System) traffic to detect suspicious or unwanted domain lookups. It is a powerful technique for spotting malware communication, data exfiltration and APT activity β€” often before other security measures react.

In OT environments, DNS Monitoring helps protect systems such as Engineering Stations, Historians and Remote Maintenance portals.

🧠 Why is DNS traffic interesting to attackers?

Use of DNS by attackers Explanation
Data exfiltration via DNS Sending data inside DNS queries (DNS tunnelling)
Command & Control communication Malware retrieves instructions via subdomains (e.g. cmd1.attacker.com)
Evasion of detection DNS is often not blocked or logged in OT
Dynamic domains (DDNS) Attacker’s IP address rotates automatically via DNS

πŸ”Ž What do you see in DNS Monitoring?

Behaviour Suspicious?
Unknown domains outside the whitelist Yes β€” especially when newly registered
Long or encoded subdomains Yes β€” possible exfiltration or C2 activity
Frequent DNS traffic to a single domain Yes β€” indicates a persistent connection
Traffic from HMI/PLC to DNS Yes β€” unusual in air-gapped OT systems
Requests to domains with poor reputation Yes β€” possible malware

βš™οΈ Implementation in OT

Monitoring location Explanation
Jump Server or proxy Central point for DNS traffic leaving the OT zone
Firewall with DNS logging Logs outbound DNS requests from OT systems
SIEM integration Analyses DNS logs for IOCs and anomalous behaviour
Passive Monitoring network taps Observes DNS traffic without impact on production

πŸ” Link with detection & response

Tooling Explanation
Threat Intelligence feeds Compare domains against blacklists and APT indicators
Anomaly detection Alert on unusual DNS traffic
EDR / XDR Correlate DNS behaviour with endpoints
Incident Response Plan Includes steps for DNS-based attacks

βœ… Best practices

  • Build a DNS whitelist: which domains should OT systems be able to reach at all?
  • Detect traffic to new or recently registered domains
  • Combine with URL Filtering and Application Whitelisting
  • Deploy DNS monitoring at all exits to IT or internet zones
  • Account for false positives from industrial cloud services (e.g. remote HMI portals)

πŸ“Œ In summary

DNS Monitoring is a quiet but powerful way to detect cyber attacks early, particularly in environments where Malware has few other ways to communicate.

Graph View

Backlinks