Pages

Thursday, September 12, 2013

Passive DNS with Tshark

Passive DNS is a nice monitoring technique to get the relationships of domains and IP addresses. With this information we can identify fast-flux botnets that constantly update DNS with very low TTL values, know where a domain name pointed to in the past, what domain names are on a given IP and so on.  

I usually use pdnstool to query about a specific domain or IP as it allows me to choose multiple passive DNS databases (DNSParse, ISC, BFK,  CERTEE). In the next example I query the BFK database to get information about spotsmalldor.com.

root@mordor:~# pdnstool -b spotssmalldor.com
source response_time query answer rrtype ttl firstseen lastseen count
BFK 0.707719847 spotssmalldor.com 37.153.192.72 A
BFK 0.707719847 spotssmalldor.com 42.121.84.12 A
BFK 0.707719847 spotssmalldor.com 95.87.1.19 A
BFK 0.707719847 spotssmalldor.com 111.93.115.216 A
BFK 0.707719847 spotssmalldor.com 140.116.72.75 A
BFK 0.707719847 spotssmalldor.com 223.30.27.251 A
BFK 0.707719847 spotssmalldor.com ns1.treesmustdownload.su NS
BFK 0.707719847 spotssmalldor.com ns1.checklistsseesmics.su NS
BFK 0.707719847 spotssmalldor.com ns1.boardsxmeta.com NS
BFK 0.707719847 spotssmalldor.com ns1.higherpricedan.com NS


No doubt that the information provided by this technique is really valuable to identify different types of threats.  But, what if we want to implement our own passive DNS? Although there are many ways to accomplish this (for example with YaF and Mediator), I would like to explain a faster method by using just the display filters of Tshark; with no need to install additional packages. Obviously, this would be a very simplified version of a real passive DNS service.

So, If you have access to a DNS server or you can do port mirroring in a modest network this can be useful:

peregrino@mordor:~$ tshark -i wlan0 -f "src port 53" -R "dns.flags.authoritative == 1" -n -T fields -e dns.qry.name -e dns.resp.addr -E occurrence=f
google.com               173.194.41.1
elpais.es                  91.216.63.241
upsa.es                  193.146.156.50

With this filter Tshark will record the authoritative DNS responses sent to clients to know the IP/domain association of each of the DNS queries. You can check it with:

peregrino@mordor:~$ dig google.com NS +short | head -1
ns1.google.com.
peregrino@mordor:~$ dig google.com @ns1.google.com +short | head -1
173.194.41.1

To get more fields (for example the delta time) add another -e switch with the name of the field. If the traffic is high, remember that you can make use of the -b switch with the duration and files options to set up a ring buffer. This is a good way to prevent filling the entire hard disk with many pcap files. 

If the DNS traffic is not very high, you can simply redirect the output to a file and then use the sort command to get a list sorted by domain.

peregrino@mordor:~$ tshark -i wlan0 -f "src port 53" -R "dns.flags.authoritative == 1" -n -T fields -e dns.qry.name -e dns.resp.addr -E occurrence=f > /tmp/domains
Capturing on wlan0
....
peregrino@mordor:~sort -t $'\t' -uk 1 /tmp/domains
alsa.es 212.163.31.132
elpais.es 91.216.63.240
google.com 173.194.41.1
spotssmalldor.com 140.116.72.75  <---
spotssmalldor.com 223.30.27.251  <---

If you want to see more useful examples with Tshark for dealing with network security incidents take a look at Instant Traffic Analysis with Tshark How-to.






No comments:

Post a Comment