This morning I was poking around the lab and I got this email:
Okay - let me look at FortiAnalyzer to figure out what's going on, so I logged in and looked at the compromised hosts:
Uh oh, This is coming from my DNS server. Is my DNS server compromised? Not likely, what's more likely is that something else is compromised and sending DNS requests. Which got me thinking, short of moving my DNS servers to another network so that I am forcing the DNS queries to traverse my fortigate, or enabling DNS logging (who wants to go through all that when you already have the tools to analyze this). Then I recalled seeing a really cool article my dear friend Manny Fernandez wrote about conditional DNS forwarding.
The idea is if your DNS servers aren't authoritative for a zone, why even bother recursing the traffic? Let your Fortigate do DNS recursion for your network. If it's internal traffic, it will forward to your DNS servers, if it's external it will forward to the system/external DNS. Net benefit is reduced load on your DNS servers, and better security overall - in that your internal DNS servers will no longer recurse everything, plus you gain visibility into what clients are querying via DNS.
Check out Manny's write up at Infosec Monkey.