DNS forensic

DNS based forensic

Computer forensic based on DNS traffic. Live forensic in Windows and Linux. Long term DNS traffic analysis.



Concept

By analyzing DNS queries you can discover

  • Used application
  • Visited pages
  • Possible infection

In next step we can create DNS blackhole


Live analysis

In live forensic we will be analizing only traffic to/from client machine. There is no need to analyze traffic on server.


Windows

  • Check /etc/hosts file
  • Dump DNS cache: ipconfig /displaydns > dnscache.txt
  • Clear cache. Force DNS traffic: ipconfig /flushdns
  • Use NirtSoft - DNSQuerySniffer




Linux

  • Check /etc/hosts file
  • tcpdump -i eth0 "port 53" >> dnsdump.txt Show all traffic
  • tcpdump -i eth0 "dst port 53" >> dnsdump.txt Show only queries
  • You can also check passivedns. Keep in mind that passivedns don't display queries without respond


Long term DNS monitoring

Use passivedns (./passivedns -i eth0) to listen for DNS traffic on DNS server or use it on span port. Send logs to database. Set up domain black list for alerting.

Check modified pdns2db script. We added client and server IP. You can download it here. Our modification:

  • Schema. Added client and server columns
  • Schema. UNIQUE KEY MARQ (MAPTYPE,ANSWER,RR,QUERY, Client, Server )
  • SQL Insert. Added client and server fields







Bad domain list:


Blacklist alerts:

1429451448.056311||192.168.1.10||62.179.1.61||IN||onet.pl.||A||213.180.141.140||40||1
1429451444.551672||192.168.1.10||62.179.1.61||IN||wp.pl.||A||212.77.98.9||41||1
1429451444.551672||192.168.1.10||62.179.1.61||IN||wp.pl.||A||212.77.100.101||41||1
1429451448.056311||192.168.1.10||62.179.1.61||IN||onet.pl.||A||213.180.141.140||40||1
1429451444.551672||192.168.1.10||62.179.1.61||IN||wp.pl.||A||212.77.98.9||41||1
1429451444.551672||192.168.1.10||62.179.1.61||IN||wp.pl.||A||212.77.100.101||41||1
1429451448.056311||192.168.1.10||62.179.1.61||IN||onet.pl.||A||213.180.141.140||40||1
1429458324.973950||192.168.1.18||62.179.1.60||IN||onet.pl.||A||213.180.141.140||40||4
1429465298.844245||192.168.1.10||62.179.1.61||IN||wp.pl.||A||212.77.100.101||287||5
1429465298.844245||192.168.1.10||62.179.1.61||IN||wp.pl.||A||212.77.98.9||287||5