I sat next to a security manager for an academic institution in Latvia last week and asked him what he was doing to protect his network seeing as he had little or no control over the student devices connected to it. He said that monitoring DNS gave him the best visibility of malicious activity as he could track which devices were making connections to dodgy IPs, then inform the end user and ask them to fix the problem, and ban devices that continued to have problems. He’d written his own scripts to automate the activity. Companies like WatchGuard are offering services that do this for you…:
[…] The solution extends the DNS-level protection and content filtering provided by WatchGuard’s existing DNSWatch service to monitor and correlate outbound DNS requests from off-network users against an aggregated list of malicious domains.
All endpoint attempts to connect with known malicious infrastructure are blocked, users are redirected and the traffic is routed to DNSWatch servers for further investigation and malware removal.
These capabilities make it easy to block off-network phishing attacks, command and control callbacks, and data exfiltration attempts.