passive dns

Passive DNS services:

• 360.cn : http://www.passivedns.cn
• BFK.de : No registration required, but please, please ready their usage policy at http://www.bfk.de/bfk_dnslogger.html
• CIRCL : https://www.circl.lu/services/passive-dns/
• DNSDB (Farsight Security) : https://api.dnsdb.info/
• PassiveTotal : https://www.passivetotal.org
• RiskIQ : https://github.com/RiskIQ/python_api/blob/master/LICENSE
• VirusTotal : https://www.virustotal.com
• RiskIQ community portal :https://community.riskiq.com/
• DNS recon and research - https://dnsdumpster.com

Passive dns collectors

• Redis-python based using tshark http://www.kitploit.com/2016/08/pdns2-passive-dns-v2.html https://github.com/bez0r/pDNS2
• Bro-based - PDNS http://planet.openminds.be/vanimpe.eu/2016/09/ https://nullsecure.org/building-your-own-passivedns-feed/
• Go-based passive DNS https://github.com/Phillipmartin/gopassivedns

DNS Security: How to Detect Compromised Endpoints by Analyzing DNS Activity from Your DNS Server Logs and Network Activity

There's a wealth of security intelligence to be gleaned from the logs of your internal DNS servers and from monitoring outbound DNS queries on your network. If you run your own Internet DNS servers you could say the same for inbound queries but in this real training for free ™ webinar I'll be focusing on how to detect compromised endpoints. And that means watching your internal DNS servers and outbound DNS traffic.

Your internal DNS normally sees all DNS queries from all of your endpoints – including those to the outside world for finding websites and other resources on the Internet. This is extremely useful because malware (APTs, ransomware, etc) must find it's command and control server. Most bad guys don't hardcode that IP address for all kinds of reasons; so malware usually relies on the same DNS protocol that good software uses to find IP addresses. But if you know what to look for you can often recognize DNS queries associated with malware. Check the IP address of the endpoint making the query and you've zeroed in on at least one of the systems compromised.

Before you can detect malicious DNS queries you have to be able to see them. And on Windows DNS Servers (the internal DNS server most used in Active Directory environments) you must enable debug logging. The normal DNS event log only provides operational messages such as errors and warnings about the service itself. I'll show you how to enable debug logging, which options to configure, where to find the log and how to interpret it.

Then we'll explore what kinds of analysis to perform in order to detect compromised endpoints including:

Checking against known malware domains
Geo location
Unusual errors
Newly and least frequently queried domain names

We will also discuss DNS related security issues such as:

DNS cache poisoning
Typo-squatting
Domain generation algorithms
Fast-flux
Registrar hacking

The bad guys are even using DNS to hide communications with command and control servers – even for exfiltration of data.

Beyond monitoring DNS server logs, we I'll also explain a simple check to perform on endpoints to detect DNS hijacking and a way to do the same thing at your gateway with an IDS or firewall log.

Cyber criminals are constantly developing increasingly sophisticated and dangerous malware programs. Statistics for the first quarter of 2016 compared to 2015 shows that malware attacks have quadrupled.

Why DNS traffic is important

DNS has an important role in how end users in your enterprise connect to the internet. Each connection made to a domain by the client devices is recorded in the DNS logs. Inspecting DNS traffic between client devices and your local recursive resolver could reveal a wealth of information for forensic analysis.

DNS queries can reveal:

Botnets/Malware connecting to C&C servers
What websites visited by an employee
Which malicious and DGA domains were accessed
Which dynamic domains (DynDNS) accessed
DDOS attack detection like NXDomain, phantom domain. random subdomain

Identifying the threats using EventTracker

While parsing each DNS log, we verify each domain accessed against:

Malicious domain database (updated on regular basis)
Domain Generation Algorithm (DGA)

Any domain which matches any of the above mentioned criteria warrants attention and an alert is generated along with the client which accessed it, and the geological information of the domain (IP, Country).

Using behavior analysis, EventTracker tracks the volume of connections to each domain accessed in the enterprise. If the volume of traffic to a specific domain is more than average, alert conditions are triggered. When a domain is accessed for the first time, we check the following:

Is this a dynamic domain?
Is the domain registered recently or expiring soon?
Does the domain have a known malicious TLD?

Recent trends show that cyber criminals may create dynamic domains as command and control centers. These domains are activated for a very short duration and then discarded, which makes the above checks even more important.

EventTracker does statistical/threshold monitoring of query, client, record type and error. This helps in detecting many DDOS attacks like NXDOMAIN attack, Phantom domain attack, random sub-domain attack, etc. EventTracker’s monitoring of client DNS settings will help to detect DNS hijacking and generate an alert for anything suspicious, including information about the client as well as its DNS setting. The EventTracker flex dashboard helps in correlating attack detection data and client details, making attack detection simpler.

Monitoring the DNS logs is a powerful way to identify security attacks as they happen in the enterprise, enabling successful blocking of attacks and fixing vulnerabilities.

http://www.securityskeptic.com/DNS_Monitoring20140130.pdf http://mastersicurezza.di.uniroma1.it/mastersicurezza/images/materiali/Convegni/dns_monitoringdeftcon2015.pdf

https://blog.redcanary.com/2015/07/02/passive-dns-monitoring-your-ir-team-needs-it/ http://www.cyber.umd.edu/sites/default/files/documents/2012-wenke-lee-nov.pdf http://www.slideshare.net/Splunk/threat-hunting-workshop https://github.com/jt6211/hadoop-dns-mining

https://github.com/bigsnarfdude/violentPythonForHackers https://github.com/bigsnarfdude/guide-to-data-mining https://github.com/bigsnarfdude/PythonSystemAdminTools https://github.com/bigsnarfdude/python-machine-learning-book https://github.com/bigsnarfdude/spark-jobserver https://github.com/bigsnarfdude/scalaLearning

https://syntagmatic.github.io/parallel-coordinates/ https://www.net.in.tum.de/fileadmin/bibtex/publications/papers/braun-wiv2012-flowinspector.pdf

https://github.com/bigsnarfdude/PythonSystemAdminTools https://www.trustwave.com/Resources/SpiderLabs-Blog/PCAP-Files-Are-Great-Arn-t-They--/ http://opensecuritytraining.info/Pcap.html http://blogs.cisco.com/security/finding-a-needle-in-a-pcap https://zeltser.com/networkminer-for-analyzing-network-traffic/

http://www.capanalysis.net/ca/ https://www.netfort.com/cloud-based-pcap-analysis/

• passive dns monitoring - https://www.redcanary.com/blog/passive-dns-monitoring-your-ir-team-needs-it/