G R A N T S T A V E L Y

Domain Name System (DNS) traffic is inherently timely. Responses from DNS servers are expected to change from one minute to the next. So many important application layer protocols leverage DNS, and it is so pervasively necessary for even basic Internet access, and it is such a simple behavior indicator, that it only makes sense to log the crap out of it. In minutiae.

Yet, it seems like DNS logging is still one of those everyone-rolls-their-own efforts. And fewer still log DNS from a sniffing sensor, instead trusting their DNS servers. I hate rolling my own, and I don't trust DNS servers.

I've borrowed a healthy dozen or more security monitoring ideas from Sean Wilkerson, so while he was still on stage after a talk at DojoSec, I re-raised my DNS Logging plight. I'd hoped he knew of a tool, or could use the microphone, video stream, and audience to ask that someone create one. Actually, I didn't hope, I specifically said “And hey, if anyone is listening, this needs to exist. If you can create, you are obligated.” or something along those lines.

I wasn't looking for an analysis tool, or a log parser, or an IDS signature. I just wanted the equivalent of the many snarf programs in Dug Song's dsniff package. It had to be lightweight, reliably parse all application traffic of the DNS protocol, and simply log it. Dsniff already does that for HTTP, NFS, SMTP, IRC, and many instant messenger protocols, and it can spoof DNS, but has nothing for passive DNS monitoring.

It worked! Sort of.

Christopher McBee was in the audience, and he knew that Python and Scapy would probably be capable. In twenty minutes, he had a working DNS logger. Awesome.

It didn't log minutiae, but that wasn't Scapy's fault. It didn't log TCP, and that is still Scapy's fault.

Spurred by Christopher's work, I dove into Python and finished it to my original spec, mostly.

  1. > dnssnarf --help
  2. usage: dnssnarf [options]
  3.  
  4. Log DNS messages with Python and Scapy
  5.  
  6. options:
  7.   --version             show program's version number and exit
  8.   -h, --help            show this help message and exit
  9.   -s, --syslog          write to syslog
  10.   -f FACILITY, --facility=FACILITY
  11.                         Syslog facility. Defaults: 'user')
  12.   -p PRIORITY, --priority=PRIORITY
  13.                         Syslog priority. Defaults: 'info'
  14.   -i INTERFACE, --interface=INTERFACE
  15.                         listen on INTERFACE
  16.   -q, --quiet           quiet output
  17.   -b BPF, --bpf=BPF     BPF to apply to scapy sniffer. Default: 'port 53 and
  18.                         udp'
  19.   -n, --named           named query log format
  20.   -d, --debug           Print additional debugging information

It doesn't understand TCP DNS, because Scapy doesn't, and I am not smart enough to fix that.

Output looks like this by default:

  1. Fri Dec  4 06:24:56 2009 UDP session: 44167 client: 192.168.1.1:59634 server: 69.63.185.11:53 query: login.facebook.com. class: IN type: A recurse: no
  2. Fri Dec  4 06:24:56 2009 UDP session: 44167 client: 69.63.185.11:53 server: 192.168.1.1:59634 query: login.facebook.com. class: IN type: A recurse: no
  3. Fri Dec  4 06:24:56 2009 UDP session: 44167 server: 69.63.185.11:53 client: 192.168.1.1:59634 response: 69.63.181.22 ok type: A ttl: 30L len: 4

So then I'm validating it against tcpdump. tcpdump already does what I want. And it isn't Python. It's fast. Silly us.

Here's tcpdump with me running 'host grantstavely.com' in another window.

  1. grantstavely:~ grant$ sudo tcpdump -i en1 -nn -tttt port 53
  2. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  3. listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes
  4. 2009-12-04 06:32:32.368184 IP 192.168.1.25.61686 > 192.168.1.4.53: 50950+ A? grantstavely.com. (34)
  5. 2009-12-04 06:32:32.373623 IP 192.168.1.4.53 > 192.168.1.25.61686: 50950 1/0/0 A 75.101.142.201 (50)
  6. 2009-12-04 06:32:32.374358 IP 192.168.1.25.64909 > 192.168.1.4.53: 44029+ AAAA? grantstavely.com. (34)
  7. 2009-12-04 06:32:32.376867 IP 192.168.1.4.53 > 192.168.1.25.64909: 44029 0/0/0 (34)
  8. 2009-12-04 06:32:32.377112 IP 192.168.1.25.57526 > 192.168.1.4.53: 55171+ MX? grantstavely.com. (34)
  9. 2009-12-04 06:32:32.394888 IP 192.168.1.4.53 > 192.168.1.25.57526: 55171 8/0/0 MX smtp7.grantstavely.com. 10, MX smtp4.grantstavely.com. 10, MX smtp6.grantstavely.com. 10, MX smtp.grantstavely.com. 0, MX smtp8.grantstavely.com. 10, MX smtp2.grantstavely.com. 5, MX smtp3.grantstavely.com. 5, MX smtp5.grantstavely.com. 10 (209)

Under my nose!

Actually, tcpdump isn't showing us transaction ID numbers, TTLs, or LENs, which is a bummer. So dnssnarf still has it's uses after all.

Textile Help

@wardspan where are the cool kids?

RT @0xcharlie: Yeah! @dionthegod won the pwnie for best research. Congrats!

@jackwillk welcome, I am at the far side of the pool wishing I had my suit.

New school: The Verizon 2010 Data Breach Investigations Report: http://securityblog.verizonbusiness.com/2010/07/28/2010-dbir-released/

@charmsec I'll need you to set up the Skype telepresence rig you promised me. I look forward to catching up w/ those of you in LV this week!

Because @_defcon_ attendees are changing their profile pictures to network easier, I've found a video to augment mine: http://goo.gl/ATYN

@kathybarnett it's tough to cycle without going clipless. The real advantage though: Goofy shoes + Bunny-hops.

I'm clicking a cow. http://goo.gl/Wiad

"Hi, I hold ignorant and often illogical, divisive positions."

...

"refudiate—oops, refute/repudiate. *undo*"

LANGUAGE GAFFES! BURN HER!

One of our cats has a clear plastic cone-collar on 'til something clears up. Her reaction suggest like she's experiencing the 4th dimension.

I͈̮͕̼͓̗͚̎͗̊̈́ͤ̋t͍͉͎͇̫̥͍̿͒̔̊̏'s͖̻̩̙̮̘͇ Z̮̱̼̟̘̙̰ͪͭa̮̗̱͙̞̻͛̂ͅl͕̋́̽d̲̰̱ͯͅo͚ͮ͑ͨ͋̋̓ ̗̳͚̯ͫ̉͐̂ͫͨḁ͚̩̗̂̂̊ͨ̊g͚͚̘̜̦̲ͦ̊ͭ̇̚ͅa̝ͥ͂ͭ̍̿ȉ͈͆ͬ̃̌n̼͙͉͚̜̾͆ͯ̾̂.

Logged User-Agent strings differing from legit ones by typos or truncation are: a) Purloined letters b) Lazy c) Stupid d) What are logs?

@will_torres uh, hey Will?

Wanna see my bracket for the World Cup?

[

Grandma.

@bbaskin An expanded URL only claims to not be a 302. The web is a Skinner box: I just frantically click on everything underlined. Yay!

I accidentally bought a large-print _Evil_Eye_The_Origins_And_Practices_of_Superstition. And you know what that means. http://goo.gl/WmAk

@jackwillk getting back into home brewing is as easy as having an address to ask @MoreBeer_B3 to send ingredients to. Go for it!

I enjoyed @cshirky's Cognitive Surplus this week.

Where Carr seems to continue rediscovering Plato on media, Shirky finds opportunity.

"Memes!", H4cKe® said, kicking up his feet to pause from writing "show-us-your-tits" jokes on his black-background website. #pebkac

@jackwillk at least you acknowledge that your fear is irrational! http://goo.gl/2kZ0