G R A N T S T A V E L Y G R A N T S T A V E L Y G R A N T S T A V E L Y G R A N T S T A V E L Y

Domain Name System (DNS) traffic is inherently timely. Responses from DNS servers are expected to change from one minute to the next. So many important application layer protocols leverage DNS, and it is so pervasively necessary for even basic Internet access, and it is such a simple behavior indicator, that it only makes sense to log the crap out of it. In minutiae.

Yet, it seems like DNS logging is still one of those everyone-rolls-their-own efforts. And fewer still log DNS from a sniffing sensor, instead trusting their DNS servers. I hate rolling my own, and I don't trust DNS servers.

I've borrowed a healthy dozen or more security monitoring ideas from Sean Wilkerson, so while he was still on stage after a talk at DojoSec, I re-raised my DNS Logging plight. I'd hoped he knew of a tool, or could use the microphone, video stream, and audience to ask that someone create one. Actually, I didn't hope, I specifically said “And hey, if anyone is listening, this needs to exist. If you can create, you are obligated.” or something along those lines.

I wasn't looking for an analysis tool, or a log parser, or an IDS signature. I just wanted the equivalent of the many snarf programs in Dug Song's dsniff package. It had to be lightweight, reliably parse all application traffic of the DNS protocol, and simply log it. Dsniff already does that for HTTP, NFS, SMTP, IRC, and many instant messenger protocols, and it can spoof DNS, but has nothing for passive DNS monitoring.

It worked! Sort of.

Christopher McBee was in the audience, and he knew that Python and Scapy would probably be capable. In twenty minutes, he had a working DNS logger. Awesome.

It didn't log minutiae, but that wasn't Scapy's fault. It didn't log TCP, and that is still Scapy's fault.

Spurred by Christopher's work, I dove into Python and finished it to my original spec, mostly.

  1. > dnssnarf --help
  2. usage: dnssnarf [options]
  3.  
  4. Log DNS messages with Python and Scapy
  5.  
  6. options:
  7.   --version             show program's version number and exit
  8.   -h, --help            show this help message and exit
  9.   -s, --syslog          write to syslog
  10.   -f FACILITY, --facility=FACILITY
  11.                         Syslog facility. Defaults: 'user')
  12.   -p PRIORITY, --priority=PRIORITY
  13.                         Syslog priority. Defaults: 'info'
  14.   -i INTERFACE, --interface=INTERFACE
  15.                         listen on INTERFACE
  16.   -q, --quiet           quiet output
  17.   -b BPF, --bpf=BPF     BPF to apply to scapy sniffer. Default: 'port 53 and
  18.                         udp'
  19.   -n, --named           named query log format
  20.   -d, --debug           Print additional debugging information

It doesn't understand TCP DNS, because Scapy doesn't, and I am not smart enough to fix that.

Output looks like this by default:

  1. Fri Dec  4 06:24:56 2009 UDP session: 44167 client: 192.168.1.1:59634 server: 69.63.185.11:53 query: login.facebook.com. class: IN type: A recurse: no
  2. Fri Dec  4 06:24:56 2009 UDP session: 44167 client: 69.63.185.11:53 server: 192.168.1.1:59634 query: login.facebook.com. class: IN type: A recurse: no
  3. Fri Dec  4 06:24:56 2009 UDP session: 44167 server: 69.63.185.11:53 client: 192.168.1.1:59634 response: 69.63.181.22 ok type: A ttl: 30L len: 4

So then I'm validating it against tcpdump. tcpdump already does what I want. And it isn't Python. It's fast. Silly us.

Here's tcpdump with me running 'host grantstavely.com' in another window.

  1. grantstavely:~ grant$ sudo tcpdump -i en1 -nn -tttt port 53
  2. tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  3. listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes
  4. 2009-12-04 06:32:32.368184 IP 192.168.1.25.61686 > 192.168.1.4.53: 50950+ A? grantstavely.com. (34)
  5. 2009-12-04 06:32:32.373623 IP 192.168.1.4.53 > 192.168.1.25.61686: 50950 1/0/0 A 75.101.142.201 (50)
  6. 2009-12-04 06:32:32.374358 IP 192.168.1.25.64909 > 192.168.1.4.53: 44029+ AAAA? grantstavely.com. (34)
  7. 2009-12-04 06:32:32.376867 IP 192.168.1.4.53 > 192.168.1.25.64909: 44029 0/0/0 (34)
  8. 2009-12-04 06:32:32.377112 IP 192.168.1.25.57526 > 192.168.1.4.53: 55171+ MX? grantstavely.com. (34)
  9. 2009-12-04 06:32:32.394888 IP 192.168.1.4.53 > 192.168.1.25.57526: 55171 8/0/0 MX smtp7.grantstavely.com. 10, MX smtp4.grantstavely.com. 10, MX smtp6.grantstavely.com. 10, MX smtp.grantstavely.com. 0, MX smtp8.grantstavely.com. 10, MX smtp2.grantstavely.com. 5, MX smtp3.grantstavely.com. 5, MX smtp5.grantstavely.com. 10 (209)

Under my nose!

Actually, tcpdump isn't showing us transaction ID numbers, TTLs, or LENs, which is a bummer. So dnssnarf still has it's uses after all.

Textile Help

@philip_daigle congratulations Philip!

Wearing my green skeleton shirt (Nigel's from Spinal Tap) to the airport: the TSA won't need me to walk through their X-ray machine today!

@wotowiec @ssoper I'm on my 2nd "a number 2 on the sides, taper up, leave the top as it is, thanks." I think I'm acting out. It's a phase.

@vurtyou: You're hair is very Flock Of Seagulls today. @grantstavely: Thanks, I like it too.

@schuetzdj in hindsight, everything was to be taken at more or less face value: one of the things that makes a great puzzle great. =] #DBIR

RT @therealKidKoala: free download available for the next 6 days. The Lost Solid Steel mix. it's sorta like Music to Draw to... enjoy: ...

@christopherkunz nice work! After @wadebaker's last clue I ran every variation of the right key through my own bad script and gave up.

@marcusjcarey thanks, I'm very much enjoying the Bay Area. The return of @dojosec/@dojocon streams is great news, I look forward to 'em.

I should use Entourage's auto-capitalization of the first word after e.g. to break myself of using latinate abbreviations. Instead: rage.

@kathybarnett way to go Kath!

Yes, yes, of course, but what is the zeroth law of the Road Runner and Wile E. Coyote? http://goo.gl/i2Jz

"They're talkin' about, weak induction. It's a motherfucker, don't you know?" —Sun Ra http://j.mp/cn5Gc2 (Link via @rands)

printf "# Or just go listen to a funky 60 minute DJ Food mix made for robots.\nUser-agent: *\nSuggest: http://snd.sc/aOT9a4 " >> robots.txt

@alexhutton I cut out the cover's circles on a full print out of the #DBIR with a razor and tried the grille-cipher approach. #nbioahd

The body language of appearing to be lost or have forgotten something is as effective as mind control. So is its inverse.

RT @electricfork: What keeps me up at night? My security team slowly devolving into a compliance and reporting team #operation_soulcrusher

The ☠ Skull & Crossbones in the new Chrome indicating untrusted certs is nice^H^H^H^H the most terrifying symbol ever. http://goo.gl/fQz1

I'm brewing an American IPA with @vurtyou. I need a fridge to keg this in! http://flic.kr/p/8sCgnr

I'm brewing an American IPA with @vurtyou. I need a fridge to keg this in!

Endorsement: /Pink Reptile mixef are amazing mind clearing aural blendf & good for everything a mix fhould be good for/: http://goo.gl/Y1L1