SlideShare a Scribd company logo

DNS in IR: Collection, Analysis and Response

P
pm123008

This document discusses DNS monitoring and analysis for incident response. It begins by explaining why DNS is important to monitor, as it underpins all network activity and malware frequently uses DNS. It then discusses collecting DNS data at the border, resolver, and endpoint levels. Common collection tools include IDSes, passive DNS loggers, and native resolver logging. The document outlines enriching DNS data with information like WHOIS and blacklists. It provides examples of DNS analysis like detecting fast flux domains, tunneling, DGA, and low prevalence domains. It notes common false positives and discusses response actions like using RPZ (Response Policy Zones) to block or redirect malicious DNS queries.

Technology
1 of 32
Download to read offline
DNS in IR: Collection, Analysis and Response Philip Martin
Who am I? • Security Lead at Coinbase (I’m hiring…) • Recovering software engineer • Done other security stuff other places, almost entirely blue team • @SecurityGuyPhil
Why care about DNS? • DNS underpins everything and everything leaves traces *or the absence of traces* in it’s use of DNS • DNS is reasonably simple to log (and definitely much simpler than something like endpoint logs) • Even so, DNS is rarely logged effectively and even more rarely analyzed to it’s full potential • Even more rarely is DNS used effectively for response (internal sinkholing is awesome!)
Why care about DNS? • 91.3% of malware uses DNS (2016 Cisco Security Report) • 68% of companies don’t monitor DNS (2016 Cisco Security Report)
I’m convinced! I want to log DNS! … Umm, how do we do that?
First a note about names • We frequently conflate Passive DNS and DNS Monitoring, but they actually aren’t the same thing. • Passive DNS is a specific technique invented by Florian Weimer in 2004 that focuses on capturing between recursive and authoritative nameservers. The goal of Passive DNS is to rebuild an accurate picture of the global DNS database. It’s awesome, but we’re not going to talk about it today. • DNS Monitoring, on the other hand, is the comprehensive logging of all DNS activity on a given network. This is what we’re going to talk about.
How do we collect DNS at scale? • Collect at the border • Collect at the resolver • Collect on the endpoint • Hybrid • Tools: • Bro/suricata/ids • Gamelinuix PassiveDNS • Native resolver logging • My thing
Where should we collect DNS? Collect at the border • Pros • You see all requests • Probably have spare capacity • Cons • Might not see the true client • Can’t collect internal requests • Won’t see cached responses
Where should we collect DNS? Collect at the resolver • Pros • You see the true clients • You can see internal requests • Cons • You need to worry about perf impact • You miss queries direct to external resolvers
Where should we collect DNS? Collect at the endpoints • Pros • You get data on and off network • Cons • You need to worry about perf impact • You need to deal with data transport • You need to deal with deployment headaches
Where should we collect DNS? Do it all • Pros • You see everything • Cons • You need to worry about perf impact • You need to worry about duplicate collection • You need to worry about deployment/collection
Collection Tools – Resolver logging Resolver Logging Capibility Log format Bind Question only Text-based, semi-structured Microsoft DNS 2012+2 Question and Answer Text based, semi-structured Unbound Question Dnstap1 djbdns / dnscache Question Esoteric strings 1dnstap is a fairlynew protobuf-based logging format, with support in KnoxDNS and Unbound. It has yet to gather a ton of momentum among other systems, but it’s a good idea. 2Prior to Windows 2012, windows DNS logging had huge performance issues during sustained use.
Collection Tools – IDSs • Most modern IDSs have some kind of DNS logging system • (Snort is a notable exception) • IDS, however, are generally a border-only thing in most companies IDS Logs DNS? Format Snort No n/a Surricata Yes Structured text Bro Yes Structured text
Collection Tools – Passive DNS logging • Log DNS by sniffing network traffic and re-building question/answer legs. • 2 standalone options: • Passivedns – https://github.com/gamelinux/passivedns • Gopassivedns – https://github.com/Phillipmartin/gopassivedns
Infrastructure • Needs to support multiple clients submitting data • Needs to support an intermediate enrichment step • Needs to write to a data store that can handle both interactive search and batch calculation For example:
Awesome, I have all the DNS data! … Umm, what can we do with all this data?
How do we make sense of it all? • Enrichments (whois, rbls, GEOIP, etc) • Analysis examples • Detect fast-flux • Detect tunneling • Detect DGA • Low-prevalence domains
Enrichments • whois • Very useful for things like domain age and registrar reputation. • Blacklists • Great for reputation-based filters and investigations • Pull for questions and answers • GeoIP on returned IPs • Add some pre-processed strings • extracting domain from the query • Calculating English word presence • Query entropy / compressibility
Analysis – fast-flux • Fast-Flux domains rapidly switch IPs for the same domain in an effort to avoid easy IP-based blocking • This, however is blindingly obvious when viewing DNS logs based on the number of IPs that a given domain resolves to and the generally low TTL of those lookups. • You can frequently locate these hosts with a ‘unique IPs per domain’ count while excluding some obvious false positives like CDNs
Analysis – DNS Exfiltration/Tunneling • Most DNS exfiltration/tunneling tools use a single domain and a large number of unique hostnames and responses to create a duplex channel • This is where you need either a pre-computed ‘domain’ field or something like Spark. • Try sorting by the number of unique hostnames per domain.
Analysis - DGA • DGAs generally result it large numbers of NXDOMAIN responses for a client • They may also result in highly entropic domain names • Try searching for hosts with a large number of NXDOMAIN responses
Analysis – Low Prevalence Domains • Prevalence is the number of unique clients that have looked up a domain in a given time. • C2 domains (assuming an attacker is not using an established cloud service as a transport) should be relatively uncommon in your environment. • Users also tend to go to a lot of random domains and DNS prefetch doesn’t help matters. The usefulness will vary depending on your users and environment. • Servers, on the other hand, shouldn’t have the user problem (and if they do, you have other problems).
Analysis – Some other leads • Which of your hosts have the most TXT lookups? • Which domains have the most TXT lookups? • Which of your hosts have the most NXDOMAIN responses? • Which of your hosts do the most DNS lookups? • Which domains are the least looked up if you exclude error responses? • External IPs in netflow that don’t show up as a DNS answer?
Analysis – Common False Positives • AV engines frequently use DNS for updates. • Be careful of lookalikes, however:
Analysis – Common False Positives • Some things, notably Tor and Chrome, attempt to detect local DNS hijacking by issuing requests for randomly generated domains at startup. • Some browsers can issue very aggressive pre-fetch queries for partial domain names that the user never actually visited (e.g. a lookup for www.cn while the user was typing www.cnn.com). • CDNs generally cause analysis issues based on their fairly random subdomains and generally high lookup volume, but fairly easy to filter out.
Ok, I’ve found the APTs. Now what? • Because DNS is so central to networking, it’s also a great place to block things. • Even more interestingly, it’s a great place to redirect things for further inspection. • The primary method for doing this kind of blocking is a mechanism implemented by Bind called Response Policy Zones (RPZ) • Much has been written about RPZ, sometimes also referring to it as a “DNS Firewall”.
RPZ Explained
What is RPZ good for? • RPZ is obviously useful for blocking domains. • RPZ can also be used to redirect requests to transparent proxy servers for enhanced analysis, drop in a click-thru warning page (downloads.cnet.com perhaps?) or direct users to a remediation website. • RPZ is FAST, especially if you’re using zone change notification.
RPZ Gotchas • Unfortunately, RPZ is just another Bind zonefile, with all the configuration maintenance gotchas that come along with that. • If you plug standard DNS block lists into RPZ, you’re going to have a bad time. (after the second time I blocked itunes, I learned that lesson). • Always remember to update the zone serial number.
goRPZ • This was going to the coming out of my open source RESTful RPZ server… • But it’s still in in legal review, so not so much today  • Any day now, however, it will be up at https://www.github.com/Phillipmartin/gorpz
Questions?

Recommended

2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
 
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemUsing ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemAPNIC
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache PoisoningChristiaan Ottow
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningChristopher Grayson
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECAPNIC
 
DNS Cache White Paper
DNS Cache White PaperDNS Cache White Paper
DNS Cache White PaperRyan Ellingson
 
Scalable and Available, Patterns for Success
Scalable and Available, Patterns for SuccessScalable and Available, Patterns for Success
Scalable and Available, Patterns for SuccessDerek Collison
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoSAPNIC
 

Recommended

2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS OblivionAPNIC
 
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemUsing ~300 Billion DNS Queries to Analyse the TLD Name Collision Problem
Using ~300 Billion DNS Queries to Analyse the TLD Name Collision ProblemAPNIC
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache PoisoningChristiaan Ottow
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningChristopher Grayson
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECAPNIC
 
DNS Cache White Paper
DNS Cache White PaperDNS Cache White Paper
DNS Cache White PaperRyan Ellingson
 
Scalable and Available, Patterns for Success
Scalable and Available, Patterns for SuccessScalable and Available, Patterns for Success
Scalable and Available, Patterns for SuccessDerek Collison
 
Thoughts about DNS for DDoS
Thoughts about DNS for DDoSThoughts about DNS for DDoS
Thoughts about DNS for DDoSAPNIC
 
Distributed "Web Scale" Systems
Distributed "Web Scale" SystemsDistributed "Web Scale" Systems
Distributed "Web Scale" SystemsRicardo Vice Santos
 
Big data elasticsearch practical
Big data elasticsearch practicalBig data elasticsearch practical
Big data elasticsearch practicalJWORKS powered by Ordina
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOHAPNIC
 
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017APNIC
 
What You Need to Know - Domain Name System (DNS)
What You Need to Know - Domain Name System (DNS)What You Need to Know - Domain Name System (DNS)
What You Need to Know - Domain Name System (DNS)Wes Morgan
 
A study of our DNS full-resolvers
A study of our DNS full-resolversA study of our DNS full-resolvers
A study of our DNS full-resolversBangladesh Network Operators Group
 
Spotify: Horizontal Scalability for Great Success
Spotify: Horizontal Scalability for Great SuccessSpotify: Horizontal Scalability for Great Success
Spotify: Horizontal Scalability for Great SuccessNick Barkas
 
Database_Cache Replacemnt Policies(Lyras)
Database_Cache Replacemnt Policies(Lyras)Database_Cache Replacemnt Policies(Lyras)
Database_Cache Replacemnt Policies(Lyras)Kostas Lyras
 
Clamdigging: Leveraging ClamAV for Malware Analysis and Detection
Clamdigging: Leveraging ClamAV for Malware Analysis and DetectionClamdigging: Leveraging ClamAV for Malware Analysis and Detection
Clamdigging: Leveraging ClamAV for Malware Analysis and Detectionmalwareforme
 
SPDY Talk
SPDY TalkSPDY Talk
SPDY TalkBojan Babic
 
Spotify: behind the scenes
Spotify: behind the scenesSpotify: behind the scenes
Spotify: behind the scenesRicardo Vice Santos
 
Spotify: P2P music streaming
Spotify: P2P music streamingSpotify: P2P music streaming
Spotify: P2P music streamingRicardo Vice Santos
 
Spotify: Playing for millions, tuning for more
Spotify: Playing for millions, tuning for moreSpotify: Playing for millions, tuning for more
Spotify: Playing for millions, tuning for moreNick Barkas
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNIJisc
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsAFRINIC
 
Re-Engineering the Root of the DNS
Re-Engineering the Root of the DNSRe-Engineering the Root of the DNS
Re-Engineering the Root of the DNSAPNIC
 
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby Node
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby NodeHadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby Node
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby NodeErik Krogen
 
IETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSIETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSAPNIC
 
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPROIDEA
 
[Lucas Films] Using a Perforce Proxy with Alternate Transports
[Lucas Films] Using a Perforce Proxy with Alternate Transports[Lucas Films] Using a Perforce Proxy with Alternate Transports
[Lucas Films] Using a Perforce Proxy with Alternate TransportsPerforce
 
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSDINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSAPNIC
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS OpennessAPNIC
 

More Related Content

What's hot

NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOHAPNIC
 
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017APNIC
 
What You Need to Know - Domain Name System (DNS)
What You Need to Know - Domain Name System (DNS)What You Need to Know - Domain Name System (DNS)
What You Need to Know - Domain Name System (DNS)Wes Morgan
 
Spotify: Horizontal Scalability for Great Success
Spotify: Horizontal Scalability for Great SuccessSpotify: Horizontal Scalability for Great Success
Spotify: Horizontal Scalability for Great SuccessNick Barkas
 
Database_Cache Replacemnt Policies(Lyras)
Database_Cache Replacemnt Policies(Lyras)Database_Cache Replacemnt Policies(Lyras)
Database_Cache Replacemnt Policies(Lyras)Kostas Lyras
 
Clamdigging: Leveraging ClamAV for Malware Analysis and Detection
Clamdigging: Leveraging ClamAV for Malware Analysis and DetectionClamdigging: Leveraging ClamAV for Malware Analysis and Detection
Clamdigging: Leveraging ClamAV for Malware Analysis and Detectionmalwareforme
 
Spotify: Playing for millions, tuning for more
Spotify: Playing for millions, tuning for moreSpotify: Playing for millions, tuning for more
Spotify: Playing for millions, tuning for moreNick Barkas
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNIJisc
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsAFRINIC
 
Re-Engineering the Root of the DNS
Re-Engineering the Root of the DNSRe-Engineering the Root of the DNS
Re-Engineering the Root of the DNSAPNIC
 
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby Node
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby NodeHadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby Node
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby NodeErik Krogen
 
IETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSIETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSAPNIC
 
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPROIDEA
 
[Lucas Films] Using a Perforce Proxy with Alternate Transports
[Lucas Films] Using a Perforce Proxy with Alternate Transports[Lucas Films] Using a Perforce Proxy with Alternate Transports
[Lucas Films] Using a Perforce Proxy with Alternate TransportsPerforce
 

What's hot (20)

Distributed "Web Scale" Systems
Distributed "Web Scale" SystemsDistributed "Web Scale" Systems
Distributed "Web Scale" Systems
 
Big data elasticsearch practical
Big data elasticsearch practicalBig data elasticsearch practical
Big data elasticsearch practical
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOH
 
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
DNSSEC Deployment for .VN and share information of DNSSEC's plan in 2017
 
What You Need to Know - Domain Name System (DNS)
What You Need to Know - Domain Name System (DNS)What You Need to Know - Domain Name System (DNS)
What You Need to Know - Domain Name System (DNS)
 
A study of our DNS full-resolvers
A study of our DNS full-resolversA study of our DNS full-resolvers
A study of our DNS full-resolvers
 
Spotify: Horizontal Scalability for Great Success
Spotify: Horizontal Scalability for Great SuccessSpotify: Horizontal Scalability for Great Success
Spotify: Horizontal Scalability for Great Success
 
Database_Cache Replacemnt Policies(Lyras)
Database_Cache Replacemnt Policies(Lyras)Database_Cache Replacemnt Policies(Lyras)
Database_Cache Replacemnt Policies(Lyras)
 
Clamdigging: Leveraging ClamAV for Malware Analysis and Detection
Clamdigging: Leveraging ClamAV for Malware Analysis and DetectionClamdigging: Leveraging ClamAV for Malware Analysis and Detection
Clamdigging: Leveraging ClamAV for Malware Analysis and Detection
 
SPDY Talk
SPDY TalkSPDY Talk
SPDY Talk
 
Spotify: behind the scenes
Spotify: behind the scenesSpotify: behind the scenes
Spotify: behind the scenes
 
Spotify: P2P music streaming
Spotify: P2P music streamingSpotify: P2P music streaming
Spotify: P2P music streaming
 
Spotify: Playing for millions, tuning for more
Spotify: Playing for millions, tuning for moreSpotify: Playing for millions, tuning for more
Spotify: Playing for millions, tuning for more
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
 
Dnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defsDnssec tutorial-crypto-defs
Dnssec tutorial-crypto-defs
 
Re-Engineering the Root of the DNS
Re-Engineering the Root of the DNSRe-Engineering the Root of the DNS
Re-Engineering the Root of the DNS
 
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby Node
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby NodeHadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby Node
Hadoop Meetup Jan 2019 - HDFS Scalability and Consistent Reads from Standby Node
 
IETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNSIETF 100: A signalling mechanism for trusted keys in the DNS
IETF 100: A signalling mechanism for trusted keys in the DNS
 
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
 
[Lucas Films] Using a Perforce Proxy with Alternate Transports
[Lucas Films] Using a Perforce Proxy with Alternate Transports[Lucas Films] Using a Perforce Proxy with Alternate Transports
[Lucas Films] Using a Perforce Proxy with Alternate Transports
 

Similar to DNS in IR: Collection, Analysis and Response

DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSDINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSAPNIC
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS OpennessAPNIC
 
THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesJohn Bambenek
 
Technical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC DeploymentTechnical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC DeploymentAPNIC
 
DNS Openness
DNS OpennessDNS Openness
DNS OpennessAPNIC
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
Dafgjgghhghfhjgghjhgy06-Footprinting.pptxDafgjgghhghfhjgghjhgy06-Footprinting.pptx
Dafgjgghhghfhjgghjhgy06-Footprinting.pptxAlfredObia1
 
DNS Measurements
DNS MeasurementsDNS Measurements
DNS MeasurementsAFRINIC
 
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...JosephTesta9
 
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...Yankmo
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS EvolutionAPNIC
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.Qrator Labs
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival GuideAPNIC
 
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesInternet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesAPNIC
 

Similar to DNS in IR: Collection, Analysis and Response (20)

DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNSDINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
DINR 2021 Virtual Workshop: Passive vs Active Measurements in the DNS
 
NANOG 84: DNS Openness
NANOG 84: DNS OpennessNANOG 84: DNS Openness
NANOG 84: DNS Openness
 
THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS Queries
 
Dns firewalls null-may2020
Dns firewalls null-may2020Dns firewalls null-may2020
Dns firewalls null-may2020
 
2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1
 
Technical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC DeploymentTechnical and Business Considerations for DNSSEC Deployment
Technical and Business Considerations for DNSSEC Deployment
 
DNS Openness
DNS OpennessDNS Openness
DNS Openness
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
Dafgjgghhghfhjgghjhgy06-Footprinting.pptxDafgjgghhghfhjgghjhgy06-Footprinting.pptx
Dafgjgghhghfhjgghjhgy06-Footprinting.pptx
 
DNS Measurements
DNS MeasurementsDNS Measurements
DNS Measurements
 
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
 
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
 
Subdomain Enumeration
Subdomain EnumerationSubdomain Enumeration
Subdomain Enumeration
 
DNS
DNSDNS
DNS
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy Arends
 
NANOG 82: DNS Evolution
NANOG 82: DNS EvolutionNANOG 82: DNS Evolution
NANOG 82: DNS Evolution
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival Guide
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenchesInternet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
Internet Week 2018: 1.1.1.0/24 A report from the (anycast) trenches
 

Recently uploaded

A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 

Recently uploaded (20)

A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 

DNS in IR: Collection, Analysis and Response

  • 1. DNS in IR: Collection, Analysis and Response Philip Martin
  • 2. Who am I? • Security Lead at Coinbase (I’m hiring…) • Recovering software engineer • Done other security stuff other places, almost entirely blue team • @SecurityGuyPhil
  • 3. Why care about DNS? • DNS underpins everything and everything leaves traces *or the absence of traces* in it’s use of DNS • DNS is reasonably simple to log (and definitely much simpler than something like endpoint logs) • Even so, DNS is rarely logged effectively and even more rarely analyzed to it’s full potential • Even more rarely is DNS used effectively for response (internal sinkholing is awesome!)
  • 4. Why care about DNS? • 91.3% of malware uses DNS (2016 Cisco Security Report) • 68% of companies don’t monitor DNS (2016 Cisco Security Report)
  • 5. I’m convinced! I want to log DNS! … Umm, how do we do that?
  • 6. First a note about names • We frequently conflate Passive DNS and DNS Monitoring, but they actually aren’t the same thing. • Passive DNS is a specific technique invented by Florian Weimer in 2004 that focuses on capturing between recursive and authoritative nameservers. The goal of Passive DNS is to rebuild an accurate picture of the global DNS database. It’s awesome, but we’re not going to talk about it today. • DNS Monitoring, on the other hand, is the comprehensive logging of all DNS activity on a given network. This is what we’re going to talk about.
  • 7. How do we collect DNS at scale? • Collect at the border • Collect at the resolver • Collect on the endpoint • Hybrid • Tools: • Bro/suricata/ids • Gamelinuix PassiveDNS • Native resolver logging • My thing
  • 8. Where should we collect DNS? Collect at the border • Pros • You see all requests • Probably have spare capacity • Cons • Might not see the true client • Can’t collect internal requests • Won’t see cached responses
  • 9. Where should we collect DNS? Collect at the resolver • Pros • You see the true clients • You can see internal requests • Cons • You need to worry about perf impact • You miss queries direct to external resolvers
  • 10. Where should we collect DNS? Collect at the endpoints • Pros • You get data on and off network • Cons • You need to worry about perf impact • You need to deal with data transport • You need to deal with deployment headaches
  • 11. Where should we collect DNS? Do it all • Pros • You see everything • Cons • You need to worry about perf impact • You need to worry about duplicate collection • You need to worry about deployment/collection
  • 12. Collection Tools – Resolver logging Resolver Logging Capibility Log format Bind Question only Text-based, semi-structured Microsoft DNS 2012+2 Question and Answer Text based, semi-structured Unbound Question Dnstap1 djbdns / dnscache Question Esoteric strings 1dnstap is a fairlynew protobuf-based logging format, with support in KnoxDNS and Unbound. It has yet to gather a ton of momentum among other systems, but it’s a good idea. 2Prior to Windows 2012, windows DNS logging had huge performance issues during sustained use.
  • 13. Collection Tools – IDSs • Most modern IDSs have some kind of DNS logging system • (Snort is a notable exception) • IDS, however, are generally a border-only thing in most companies IDS Logs DNS? Format Snort No n/a Surricata Yes Structured text Bro Yes Structured text
  • 14. Collection Tools – Passive DNS logging • Log DNS by sniffing network traffic and re-building question/answer legs. • 2 standalone options: • Passivedns – https://github.com/gamelinux/passivedns • Gopassivedns – https://github.com/Phillipmartin/gopassivedns
  • 15. Infrastructure • Needs to support multiple clients submitting data • Needs to support an intermediate enrichment step • Needs to write to a data store that can handle both interactive search and batch calculation For example:
  • 16. Awesome, I have all the DNS data! … Umm, what can we do with all this data?
  • 17. How do we make sense of it all? • Enrichments (whois, rbls, GEOIP, etc) • Analysis examples • Detect fast-flux • Detect tunneling • Detect DGA • Low-prevalence domains
  • 18. Enrichments • whois • Very useful for things like domain age and registrar reputation. • Blacklists • Great for reputation-based filters and investigations • Pull for questions and answers • GeoIP on returned IPs • Add some pre-processed strings • extracting domain from the query • Calculating English word presence • Query entropy / compressibility
  • 19. Analysis – fast-flux • Fast-Flux domains rapidly switch IPs for the same domain in an effort to avoid easy IP-based blocking • This, however is blindingly obvious when viewing DNS logs based on the number of IPs that a given domain resolves to and the generally low TTL of those lookups. • You can frequently locate these hosts with a ‘unique IPs per domain’ count while excluding some obvious false positives like CDNs
  • 20. Analysis – DNS Exfiltration/Tunneling • Most DNS exfiltration/tunneling tools use a single domain and a large number of unique hostnames and responses to create a duplex channel • This is where you need either a pre-computed ‘domain’ field or something like Spark. • Try sorting by the number of unique hostnames per domain.
  • 21. Analysis - DGA • DGAs generally result it large numbers of NXDOMAIN responses for a client • They may also result in highly entropic domain names • Try searching for hosts with a large number of NXDOMAIN responses
  • 22. Analysis – Low Prevalence Domains • Prevalence is the number of unique clients that have looked up a domain in a given time. • C2 domains (assuming an attacker is not using an established cloud service as a transport) should be relatively uncommon in your environment. • Users also tend to go to a lot of random domains and DNS prefetch doesn’t help matters. The usefulness will vary depending on your users and environment. • Servers, on the other hand, shouldn’t have the user problem (and if they do, you have other problems).
  • 23. Analysis – Some other leads • Which of your hosts have the most TXT lookups? • Which domains have the most TXT lookups? • Which of your hosts have the most NXDOMAIN responses? • Which of your hosts do the most DNS lookups? • Which domains are the least looked up if you exclude error responses? • External IPs in netflow that don’t show up as a DNS answer?
  • 24. Analysis – Common False Positives • AV engines frequently use DNS for updates. • Be careful of lookalikes, however:
  • 25. Analysis – Common False Positives • Some things, notably Tor and Chrome, attempt to detect local DNS hijacking by issuing requests for randomly generated domains at startup. • Some browsers can issue very aggressive pre-fetch queries for partial domain names that the user never actually visited (e.g. a lookup for www.cn while the user was typing www.cnn.com). • CDNs generally cause analysis issues based on their fairly random subdomains and generally high lookup volume, but fairly easy to filter out.
  • 26.
  • 27. Ok, I’ve found the APTs. Now what? • Because DNS is so central to networking, it’s also a great place to block things. • Even more interestingly, it’s a great place to redirect things for further inspection. • The primary method for doing this kind of blocking is a mechanism implemented by Bind called Response Policy Zones (RPZ) • Much has been written about RPZ, sometimes also referring to it as a “DNS Firewall”.
  • 29. What is RPZ good for? • RPZ is obviously useful for blocking domains. • RPZ can also be used to redirect requests to transparent proxy servers for enhanced analysis, drop in a click-thru warning page (downloads.cnet.com perhaps?) or direct users to a remediation website. • RPZ is FAST, especially if you’re using zone change notification.
  • 30. RPZ Gotchas • Unfortunately, RPZ is just another Bind zonefile, with all the configuration maintenance gotchas that come along with that. • If you plug standard DNS block lists into RPZ, you’re going to have a bad time. (after the second time I blocked itunes, I learned that lesson). • Always remember to update the zone serial number.
  • 31. goRPZ • This was going to the coming out of my open source RESTful RPZ server… • But it’s still in in legal review, so not so much today  • Any day now, however, it will be up at https://www.github.com/Phillipmartin/gorpz