DNS Forensics

Carried Out at
Centre for Development Of Advanced Computing,
Cdac,Bangalore
Under the Supervision Of
Dr.Sanjay Adiwal Presented By -
1.Aakash Hajare
2.Jayveer Waghmare
3.Mayank Bissa
4.Neel Ghosh
5.Suman Kumar
Contents-
Objective
DNS Forensics

Why DNS Forensics

Importance of DNS logs

Tools

DNS Attacks

Methodology for DNS Forensics

Conclusion
Objective -
The objective is to use DNS traffic and DNS logs to analyze network health
and activity, detect an anomaly in the network, and defeat malicious activity.
We have explored various tools that can be used in DNS forensics.
DNS Forensics -

As DNS is a core and prevalent component of the internet, it

is both a prime target for attack and key source of
Information.

The Domain Name System (DNS) has been long used to

estimate the boundary of the Internet and is used heavily by
almost all network applications, whether normal or malicious.
Why DNS Forensics -
Many Cyber Security experts/professionals (from both governmental
and commercial agencies) are employed to hunt down the
cybercriminals, using numerous internet services to obtain data and
trace their movements. But even in the sphere of cyber security, not
all researchers concentrate on digital forensics analysis of DNS and
domain services and all of their data.
Hence, we proposed an approach to analyze DNS data for forensic
purpose with the help of large volume of DNS logs and live DNS
traffic.
Importance of DNS logs -

Monitoring The DNS logs is a powerful way to identify

Security attacks as they happen in the enterprise,
Enabling successful blocking of attacks and detect
vulnerabilities.
To detect malware and anomaly in the network we use
following tools -

1.Passive DNS
2.DNS Parse
3.Capture DNS
4.DNSTOP
5.ELK Stack
DNS Attacks -

There are several attacks in DNS and we explored few of them which can be detected by our proposed DNS Forensic method :-

1.DNS Tunneling
2.NXDomain Attacks
3.DNS Amplification
DNS Attacks. .

DNS Tunneling

DNS tunneling exploits the DNS protocol to tunnel malware and other data through a
client-server model. The attacker registers a domain, such as www.example.com. The
domain's name server points to the attacker's server, where a tunneling malware
program is installed.
NXDomain Attack

In NXDOMAIN attack, the attacker sends a flood of queries to a Domain Name System
(DNS) server to resolve a non-existent domain name. The DNS server tries to resolve the
domain but cannot find it. In the process, its cache gets filled up with NXDOMAIN results,
slowing response for legitimate requests.
DNS Amplification

DNS amplification is a Distributed Denial of Service (DDoS) attack

in which the attacker exploits vulnerabilities in domain name
system (DNS) servers to turn initially small queries into much
larger payloads, which are used to bring down the victim's servers.
Methodology for DNS Forensics

When problems arise, logs are an invaluable tool for troubleshooting since they
give a history of events for the operating system, application and system. An
administrator has to examine log files as soon as Problems appears.
Some of the following tools we are using in DNS log Analysis.
DNSParse
CaptureDNS
PassiveDNS
DNSTop
ELK Stack
PassiveDNS

A tool to collect DNS records passively to aid Incident handling, Network

Security Monitoring (NSM) and general digital forensics.

PassiveDNS sniffs traffic from an interface or reads a pcap-file and outputs

the DNS-server answers to a log file. PassiveDNS can cache/aggregate duplicate
DNS answers in-memory, limiting the amount of data in the log file without
losing the Essence in the DNS answer.
Passive Dns Output-

Command- # passivedns -i ens33(Interface-name) -l fname(Any file name)

DNSParse

It is a tool for analysis DNS traffic, its work on analysis dns data in live network
as well save dns data in .pcap file format. A .pcap file of DNS data is provided
as input by dns parse, which outputs a detailed, easily parsable, human-
readable of the same data.It is useful in network monitoring from it.

ex-

(send the data to Kibana ,graylogs or similar).

DNS Parse Output-

Command- # dns_parse -m "" -t -r fname(file name)

Command- # dns_parse -m "" -t -r -c fname(file name)
CaptureDNS
A simple tool to capture and show DNS queries. It saves DNS data in pcap file as human
readable format. It also used in Real -time analysis DNS traffic network, it shows the domain
name and its ip address, also useful in DNS monitoring.
CaptureDNS Output

Command- # target/release/capture-dns ens33(interface) [ fordirect result ]

Command- # target/release/capture-dns ens33(interface) > fname(any filename)
DNSTop

Dnstop is a libpcap application (like tcpdump) that displays various tables of DNS traffic
on your network. Dnstop displays tables of..

⦁ Source IP addresses
⦁ Destination IP addresses
⦁ Query types
⦁ Response codes
⦁ Top level domains
⦁ Second level domains
⦁ Third level domains
DNSTop Output-
You have to save a file with something like tcpdump, and then dnstop will read it. DNSTOP cannot save
files itself.

Use it like this:

tcpdump -w dump.pcap -c 1000 port 53

then you can read that file like this

dnstop -l 3 dump.pcap
ELK Stack
ElK is a combination of Elasticsearch, logstash and kibana.

Elasticsearch- It is a database which is used in Json format structure in this way we setup the logstash
output.

Logstash- It is the server component design to process incoming log and feeds into elastic Search.

Kibana- Kibana is a visualization UI layer which help developer to monitor application log.

Packetbeat- Packetbeat is a real-time network packet analyzer that you can use with
Elasticsearch to provide an application monitoring and performance analytics system.

Filebeat-Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed
as an agent on your servers, Filebeat monitors the log files or locations that you specify,
collects log events, and forwards them either to Elasticsearch or Logstash for indexing.
ELK Result Output-
Conclusion-

Each of these DNS Forensics techniques advances the goal of

quickly finding and eliminating threats with best and fastest
determinations possible using unique methods of analyzing
DNS data.
Reference-
Dns History - https://securitytrails.com/blog/forensic-analysis-domain-dns-history

DNS Tunnelling - https://github.com/iagox86/dnscat2

DNS Amplification - https://github.com/rodarima/lsi/blob/master/p2/dnsdrdos.c

DNSparse - https://github.com/robertdavidgraham/dnsparse

CaptureDNS - https://github.com/lilydjwg/capture-dns

PassiveDNS - https://github.com/gamelinux/passivedns

DNSTop - https://github.com/verisign/dnstop/blob/master/dnstop.c

ELK stack - https://www.elastic.co/what-is/elk-stack

Thank you. .