Scribd
Upload
51 views28 pages

Passive DNS for Network Threat Detection

The document discusses how passive DNS data can be used to uncover network and server parasites. Passive DNS databases record DNS queries and responses over time, allowing analysis of domain to IP mappings to find names that don't belong within an organization's address space. Querying passive DNS data for a specific IP range shows which domain names were associated with those IP addresses, detecting potential internal abuse or botnet command and control servers. Precise querying allows focusing on recently active names or those active during a specific time period.

Uploaded by

Sudi Silalahi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
51 views28 pages

Passive DNS for Network Threat Detection

The document discusses how passive DNS data can be used to uncover network and server parasites. Passive DNS databases record DNS queries and responses over time, allowing analysis of domain to IP mappings to find names that don't belong within an organization's address space. Querying passive DNS data for a specific IP range shows which domain names were associated with those IP addresses, detecting potential internal abuse or botnet command and control servers. Precise querying allows focusing on recently active names or those active during a specific time period.

Uploaded by

Sudi Silalahi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Using Passive DNS


To uncover Network and Server Parasites

• 2nd IIA/ISACA Hacking Conference

• October 27th, 2015



Alan Clegg

Farsight Security, Inc

alan@[Link] / clegg@[Link]

919-355-8851
Using Passive DNS
To Uncover Network and Server Parasites

Alan Clegg
Farsight Security, Inc.
DNS
• Domain Name Service

• Database that provides mapping

• Names to addresses
[Link] —> [Link]

• Addresses to names

• Additional infrastructure
DNS Data
• DNS Stores multiple record types:

• Address IPv4 and IPv6: A and AAAA

• Nameservers: NS

• Mail Exchangers: MX

• And others….
DNS
• Distributed service with Data Owners

• Authoritative Servers

• Data Consumers

• Clients

• And Middlemen

• Recursive (Caching) Servers


DNS

Authoritative
Server

Recursive
Server

Cache Hit
Client
DNS

Authoritative
Server

Recursive
Server

Cache Miss
Client
pDNS
Authoritative
Server

Recursive
Server

pDNS
Client
Database
pDNS
Authoritative
Server

Recursive
Server

pDNS
Client
Database
pDNS
Authoritative
Server

Recursive
Server

pDNS
Database
Client
PII
pDNS
• Farsight’s DNSDB began collection in 2010

• Currently holds over 13 Billion labels

• Data stored includes

• Label, Type, Resource Record Data

• First time seen, last time seen

• Searchable on Label and Resource Record Data


What does this mean?
Internal Abuse
• Corporate and educational networks

• High bandwidth, low latency

• Abused by insiders

• “It’s not used much at night”

• “There’s plenty to go around”

• “I work hard, I deserve this”


Internal Abuse
• Abuser aims external name into high speed
address space

• Abuser’s web server, game server, file sharing


service, etc. runs on the machine “inside”

• Computer may be outside of corporate


maintenance

• Vulnerable to compromise
Botnet C&C
• Early bots used hard coded IP addresses

• Immobile

• Easy to block, easy to locate

• Newer bots use DNS names

• Constantly in motion

• Difficult to block, hard to find “current” location


How do we cope?
• This is invisible from the owner’s DNS perspective

• The DNS names are controlled by the abuser

• Passive DNS sees the label and IP address

• Search across the address space

• See if there are names that don’t match the


owner namespace
[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]
[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]

[Link]. A [Link]
bailiwick [Link].

count 10

first seen 2012-01-15 [Link] -0000

last seen 2012-02-23 [Link] -0000

[Link]. A [Link]

• This is a problem

• But, this is an old problem

• It hasn’t (as far we we know) reoccured

• Should we still follow-up?

• Yes, within reason

• DNSDB allows us to see the full history


Domain Name: [Link]

Domain Create Date: 31-Oct-2008 [Link] UTC

Domain Last Updated Date: 04-Aug-2014 [Link] UTC

Domain Expiration Date: 31-Oct-2016 [Link] UTC

[…]

Registrant Name: Registration Private

Registrant Organization: Domains By Proxy, LLC

Registrant Address: [Link]

• It’s been around since 2008

• That means it was active before it appeared on


our network

• And it lives on…


[Link]
Reality Check
• A heavily populated
IPv4 address

• Are all of the


names related to
the owner of the
address space?

• How much of this


is current?
Reality Check
• Perhaps a different interface would help

• I’m only interested in records seen in the last 30 days

aclegg$ dnsdb_query.py -i [Link] --after=30d




Query sent: [Link]
[Link]?time_last_after=-2592000


[Link]. IN A [Link]

• Only the 1 label above has been “active” in the given


time period
Reality Check
• Expanding to the entire /24 CIDR block but only
those active in the last 30 days:
aclegg$ dnsdb_query.py -i [Link]/24 --after=30d

Query sent: [Link]
time_last_after=-2592000

[Link]. IN A [Link]

[Link]. IN A [Link]

[Link]. IN A [Link]

[Link]. IN A [Link]

[Link]. IN A [Link]

[Link]. IN A [Link]

[Link]. IN A [Link]

[Link]. IN A [Link]

[Link]. IN A [Link]

[Link]. IN A [Link]

[Link]. IN A [Link]

[Link]. IN A [Link]

[Link]. IN A [Link]
Reality Check
• Show the names within the CIDR block that were
visible only during a certain period (the 30 day
period between 90 days ago and 120 days ago):
aclegg$ dnsdb_query.py -i [Link]/24 --before=90d --after=120d


Query sent: [Link]
time_first_after=-10368000&time_last_before=-7776000


[Link]. IN A [Link]

[Link]. IN A [Link]
Reality Check
• Show the names within the CIDR block that were
visible only during a certain period (the 30 day
period between 90 days ago and 120 days ago):
aclegg$ dnsdb_query.py -ji [Link]/24 --before=90d --after=120d


Query sent: [Link]
time_first_after=-10368000&time_last_before=-7776000


{"count": 2, "time_first": 1436491506, "rrtype": "A", "rrname":
"[Link].", "rdata": "[Link]", "time_last":
1436491506}

{"count": 2, "time_first": 1437658191, "rrtype": "A", "rrname":
"[Link].", "rdata": "[Link]", "time_last":
1437658191}
Any Questions?
Using Passive DNS

To uncover Network and Server Parasites

• 2nd IIA/ISACA Hacking Conference

• October 27th, 2015



Alan Clegg

Farsight Security, Inc

alan@[Link] / clegg@[Link]

919-355-8851

You might also like