How to improve the analysis and management of network traffic by watching the DNS
Despite the fact that almost everywhere we use domain names instead of IP addresses, tools for monitoring and controlling network traffic typically operate on IP addresses. Name resolution in general (and DNS in particular) is used rather arbitrarily.
This is due to some peculiarities of DNS operation - the result of resolving a name to an address can quickly turn sour, the next query may return a different address, the results may differ depending on the geography and provider of the requester.
Is it possible to have an up-to-date name / address mapping table for small networks? Which domains did the users request and which received the IP addresses? With some reservations - yes.
Network administrators usually use controlled DNS servers for this. It is assumed that all users on the network only allow names on these servers, the rest of the DNS traffic is blocked. This is a good solution, but it works up to a certain network size and user qualification.
')
In a friendly company, we were asked to make netflow reports more informative. Instead of giving rDNS and whois to an IP address, they wanted to see from which domain name this or that address actually came from.
Inside the organization there were several Microsoft DNS servers and BIND, some users had local caching DNS, some used Google public servers. Even forcing all users to resolve names on our server seemed almost impossible. Most likely, we would get the opposite result - some users would start letting DNS into VPN, use DNSCrypt, etc.
After thinking a bit, we decided to go in a simpler way. What if I scan DNS responses at traffic exit points? This will firstly make it possible for the solution not to become attached to specific DNS servers in the solution, and secondly it will not be necessary to change the existing network configuration and annoy users.
After unsuccessful searches for ready-made utilities, I (as an initiator) got up my courage, picked up the RFC, and sketched a small program - https://github.com/vmxdev/sidmat/ .
The program scans the DNS responses of the servers (this is enough, there are requests inside the answers), and if the domain name matches with a regular expression, it prints the address from the A-record (what happened as a result of the resolution).
Using this utility, you can collect almost all the statistics - which domain name was split into an IP address, and when it happened. A prepared user, of course, can hide this information (by writing a node to the hosts file, or using another channel for DNS queries, for example), but for the majority of nodes we will get a satisfactory picture.
How it works:
We see domain names and what they are resolved to (eth0 is the interface on which DNS traffic passes).
We fix the time. It remains to redirect the result to a file, and you can use the correspondence table. The utility can capture DNS responses using pcap (in Linux / BSD) or using the nflog mechanism in Linux.
The same technique can be used to control traffic. Filter by domains, get domain addresses with keywords in names, etc.
It must be borne in mind that management may not be very accurate. If during the time when the DNS response comes to the user and he starts sending traffic to this node, we do not have time to add the address to the ipset / iptables / routing table / somewhere else, then the traffic will go the “normal” way.
In addition, a qualified user can generate false DNS responses; that is, it is better to use this for repression with caution.
A few examples:
How to get a list of IP-addresses in which vk.com and its subdomains pop up? (Without the 'u' option, only unique IP addresses will be printed)
With the options "d" or "i" you can see which domain is resolved to the IP address, "d" prints the domain name in stderr.
How to block addresses that allow vk.com, its subdomains and all domains with the word odnoklassniki? (domains like avk.com will not fall under the rule, odnoklassnikii.com - will fall).
In addition to small regular expressions, you can use lists in the file (the “f” option, the second argument is interpreted as the file name, its contents as one big regular expression). The lists can be quite large, we looked at the performance on the list of domains of the RKN (traffic to the forbidden domains was redirected to the VPN), the usual PC router quite calmly coped with this.
This is due to some peculiarities of DNS operation - the result of resolving a name to an address can quickly turn sour, the next query may return a different address, the results may differ depending on the geography and provider of the requester.
Is it possible to have an up-to-date name / address mapping table for small networks? Which domains did the users request and which received the IP addresses? With some reservations - yes.
Network administrators usually use controlled DNS servers for this. It is assumed that all users on the network only allow names on these servers, the rest of the DNS traffic is blocked. This is a good solution, but it works up to a certain network size and user qualification.
')
In a friendly company, we were asked to make netflow reports more informative. Instead of giving rDNS and whois to an IP address, they wanted to see from which domain name this or that address actually came from.
Inside the organization there were several Microsoft DNS servers and BIND, some users had local caching DNS, some used Google public servers. Even forcing all users to resolve names on our server seemed almost impossible. Most likely, we would get the opposite result - some users would start letting DNS into VPN, use DNSCrypt, etc.
After thinking a bit, we decided to go in a simpler way. What if I scan DNS responses at traffic exit points? This will firstly make it possible for the solution not to become attached to specific DNS servers in the solution, and secondly it will not be necessary to change the existing network configuration and annoy users.
After unsuccessful searches for ready-made utilities, I (as an initiator) got up my courage, picked up the RFC, and sketched a small program - https://github.com/vmxdev/sidmat/ .
The program scans the DNS responses of the servers (this is enough, there are requests inside the answers), and if the domain name matches with a regular expression, it prints the address from the A-record (what happened as a result of the resolution).
Using this utility, you can collect almost all the statistics - which domain name was split into an IP address, and when it happened. A prepared user, of course, can hide this information (by writing a node to the hosts file, or using another channel for DNS queries, for example), but for the majority of nodes we will get a satisfactory picture.
How it works:
$ sudo ./sidmat eth0 "." iu We see domain names and what they are resolved to (eth0 is the interface on which DNS traffic passes).
$ sudo ./sidmat eth0 "." iu | while IFS= read -r line; do printf '%s\t%s\n' "$(date '+%Y-%m-%d %H:%M:%S')" "$line"; done We fix the time. It remains to redirect the result to a file, and you can use the correspondence table. The utility can capture DNS responses using pcap (in Linux / BSD) or using the nflog mechanism in Linux.
The same technique can be used to control traffic. Filter by domains, get domain addresses with keywords in names, etc.
It must be borne in mind that management may not be very accurate. If during the time when the DNS response comes to the user and he starts sending traffic to this node, we do not have time to add the address to the ipset / iptables / routing table / somewhere else, then the traffic will go the “normal” way.
In addition, a qualified user can generate false DNS responses; that is, it is better to use this for repression with caution.
A few examples:
How to get a list of IP-addresses in which vk.com and its subdomains pop up? (Without the 'u' option, only unique IP addresses will be printed)
$ sudo ./sidmat eth0 "^vk.com$|\.vk.com$" d With the options "d" or "i" you can see which domain is resolved to the IP address, "d" prints the domain name in stderr.
How to block addresses that allow vk.com, its subdomains and all domains with the word odnoklassniki? (domains like avk.com will not fall under the rule, odnoklassnikii.com - will fall).
$ sudo sh -c '/sidmat eth0 "^vk\.com$|\.vk\.com$|odnoklassniki" | /usr/bin/xargs -I {} /sbin/iptables -A INPUT -s {} -j DROP' In addition to small regular expressions, you can use lists in the file (the “f” option, the second argument is interpreted as the file name, its contents as one big regular expression). The lists can be quite large, we looked at the performance on the list of domains of the RKN (traffic to the forbidden domains was redirected to the VPN), the usual PC router quite calmly coped with this.
Source: https://habr.com/ru/post/272565/
All Articles