What follows is a request to LittleSnitch to support the following heuristic to focus end-users on possible DNS compromises :
1) Track DNS servers used over time. Typically, DNS lookup servers are static for each LAN (home, work, coffee-shop, etc) over long periods of time. Keep track of these tuples (e.g., geoIP, LAN IP, DNS servers) ... and thus, when requests on a LAN detect a different DNS server is now being consulted, alert the end-user to the OLD DNS list and the new DNS being consulted by so-and-so process ... as that presages the possibility of a DNS poisoning attack. For expert users who might well be exploring responses from alternate DNS servers, they can delve into which process is asking to use a different DNS server, select which DNS servers are trusted or not trusted, etc.
2) Keep track of DNS requests (server used, name to be resolved, and resolved IP address) and notify end-user when an outbound network connection uses an IP address that was NOT previously serviced by a DNS lookup request over time. Tracking these kinds of requests is helpful to surface hard-coded IP addresses to the attention of the end-user who has enabled this tracking feature.
1) Track DNS servers used over time. Typically, DNS lookup servers are static for each LAN (home, work, coffee-shop, etc) over long periods of time. Keep track of these tuples (e.g., geoIP, LAN IP, DNS servers) ... and thus, when requests on a LAN detect a different DNS server is now being consulted, alert the end-user to the OLD DNS list and the new DNS being consulted by so-and-so process ... as that presages the possibility of a DNS poisoning attack. For expert users who might well be exploring responses from alternate DNS servers, they can delve into which process is asking to use a different DNS server, select which DNS servers are trusted or not trusted, etc.
2) Keep track of DNS requests (server used, name to be resolved, and resolved IP address) and notify end-user when an outbound network connection uses an IP address that was NOT previously serviced by a DNS lookup request over time. Tracking these kinds of requests is helpful to surface hard-coded IP addresses to the attention of the end-user who has enabled this tracking feature.
