Professional Documents
Culture Documents
DNS Forensic..final
DNS Forensic..final
Carried Out at
Centre for Development Of Advanced Computing,
Cdac,Bangalore
Under the Supervision Of
Dr.Sanjay Adiwal Presented By -
1.Aakash Hajare
2.Jayveer Waghmare
3.Mayank Bissa
4.Neel Ghosh
5.Suman Kumar
Contents-
Objective
DNS Forensics
Tools
DNS Attacks
Conclusion
Objective -
The objective is to use DNS traffic and DNS logs to analyze network health
and activity, detect an anomaly in the network, and defeat malicious activity.
We have explored various tools that can be used in DNS forensics.
DNS Forensics -
1.Passive DNS
2.DNS Parse
3.Capture DNS
4.DNSTOP
5.ELK Stack
DNS Attacks -
There are several attacks in DNS and we explored few of them which can be detected by our proposed DNS Forensic method :-
1.DNS Tunneling
2.NXDomain Attacks
3.DNS Amplification
DNS Attacks. .
DNS Tunneling
DNS tunneling exploits the DNS protocol to tunnel malware and other data through a
client-server model. The attacker registers a domain, such as www.example.com. The
domain's name server points to the attacker's server, where a tunneling malware
program is installed.
NXDomain Attack
In NXDOMAIN attack, the attacker sends a flood of queries to a Domain Name System
(DNS) server to resolve a non-existent domain name. The DNS server tries to resolve the
domain but cannot find it. In the process, its cache gets filled up with NXDOMAIN results,
slowing response for legitimate requests.
DNS Amplification
When problems arise, logs are an invaluable tool for troubleshooting since they
give a history of events for the operating system, application and system. An
administrator has to examine log files as soon as Problems appears.
Some of the following tools we are using in DNS log Analysis.
DNSParse
CaptureDNS
PassiveDNS
DNSTop
ELK Stack
PassiveDNS
It is a tool for analysis DNS traffic, its work on analysis dns data in live network
as well save dns data in .pcap file format. A .pcap file of DNS data is provided
as input by dns parse, which outputs a detailed, easily parsable, human-
readable of the same data.It is useful in network monitoring from it.
ex-
Dnstop is a libpcap application (like tcpdump) that displays various tables of DNS traffic
on your network. Dnstop displays tables of..
⦁ Source IP addresses
⦁ Destination IP addresses
⦁ Query types
⦁ Response codes
⦁ Top level domains
⦁ Second level domains
⦁ Third level domains
DNSTop Output-
You have to save a file with something like tcpdump, and then dnstop will read it. DNSTOP cannot save
files itself.
dnstop -l 3 dump.pcap
ELK Stack
ElK is a combination of Elasticsearch, logstash and kibana.
Elasticsearch- It is a database which is used in Json format structure in this way we setup the logstash
output.
Logstash- It is the server component design to process incoming log and feeds into elastic Search.
Kibana- Kibana is a visualization UI layer which help developer to monitor application log.
Packetbeat- Packetbeat is a real-time network packet analyzer that you can use with
Elasticsearch to provide an application monitoring and performance analytics system.
Filebeat-Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed
as an agent on your servers, Filebeat monitors the log files or locations that you specify,
collects log events, and forwards them either to Elasticsearch or Logstash for indexing.
ELK Result Output-
Conclusion-
DNSparse - https://github.com/robertdavidgraham/dnsparse
CaptureDNS - https://github.com/lilydjwg/capture-dns
PassiveDNS - https://github.com/gamelinux/passivedns
DNSTop - https://github.com/verisign/dnstop/blob/master/dnstop.c