Some time ago I had to research an alleged case of DNS Interception in a somewhat hostile Windows environment. Part of the job was to sniff all DNS responses from the corresponding resolver with tools like Tshark/
RawCap and verify if these were legitimate or not. To do this check I basically used services like Whois,
DoH (DNS over HTTPS), etc.
As a result of this case it occurred to me to create a simple tool that would allow me to automate this process so that I could visually analyze the DNS responses and reveal just those that could be potentially harmful. The result of this idea is: DNS Polygraph.
DNS Polygraph is developed in C# and relies on both: the nice
SharpPcap library of Chris Morgan and a cute
DNS library I found on the Github of Mirza Kapetanovic. At first I opted to use raw sockets but after doing some tests I realized that these had
multiple limitations and performance issues. Due to this I came to the conclusion that it was more stable to rely on
WinPcap for the capture of UDP packets.
The idea of DNS Polygraph is to show you in a datagrid each DNS response that your host receives (called by the tool as “
untrusted response”) and compare this with a response from a trusted source made over HTTPS. So for every DNS response that your host receives a DNS request will be done over HTTPS. Currently you can choose between the
Google DoH service or the
Cloudflare one.
Both responses (trusted and unstrusted) will be compared and, if they do not match, different colors will indicate the level of relationship that exist between both responses. For now, the criteria I have used is the following:
- Check if both responses, trusted and untrusted, belong to the same /24 network.
- If not, check if both responses, trusted and untrusted, belong to the same /16 network.
- If not, It makes a reverse DNS lookup of both responses and check if they have a second domain level in common.