I've published a two-part series of articles on the vaule to IT organizations of monitoring DNS traffic for suspicious activities. DNS traffic can reveal the existence of malware on hosts you manage, operational failures in your name resolution services, and even covert data exfiltration activities.
In Part I, Monitor DNS Traffic & You Just Might Catch A RAT, I describe six signs of suspicious activity to watch for in the DNS traffic flows. I explain why DNS is so obviously useful to criminals and what to look for in DNS query and response messages.
In Part II, 5 Ways To Monitor DNS Traffic For Security Threats, I describe how to implement real-time or offline traffic monitoring using common commercial or open source security products. There are _lots_ of ways to monitor DNS and while I literally pepper this column with links to documentation, case studies, and examples, I've barely scratched the surface. Happily, I've received constructive comments that metion other products, services, or methods so please take a moment to consider these, too.