How to Improve Network Traffic Analysis and Management by Watching DNS

Despite the fact that almost everywhere we use domain names instead of IP addresses, tools for monitoring and controlling network traffic usually operate with IP addresses. Name resolution in general (and DNS in particular) is used rather conditionally.

This is due to some features of the DNS - the result of resolving a name to an address can quickly turn sour, the next request can return a different address, the results may differ depending on the geography and provider of the requestor.

Is it possible to have an actual table of correspondence of names and addresses for small networks? Which domains did users request and which received IP addresses? With some reservations, yes.

Network administrators typically use controlled DNS servers for this. It is assumed that all network users resolve names only on these servers, the rest of the DNS traffic is blocked. This is a good solution, but it works up to a certain network size and user qualifications.

In a friendly company, we were asked to make netflow reports more informative. Instead of giving rDNS and whois for the IP address, they wanted to see which domain name actually turned out to be the address.

Inside the organization there were several Microsoft and BIND DNS servers, some users had local caching DNSs, some used public Google servers. Even making all users resolve names on our server seemed almost impossible. Most likely we would get the opposite result - some users would start up DNS in VPN, use DNSCrypt, etc.

After a little thought, we decided to go the simpler way. What if I scan DNS responses at traffic exit points? Firstly, this will allow you to not be tied to specific DNS servers in the solution, and secondly, you will not need to change the existing network configuration and annoy users.

After an unsuccessful search for ready-made utilities, I (as the initiator) took courage, picked up the RFC and sketched a small program -https://github.com/vmxdev/sidmat/ .

The program scans the DNS answers of the servers (this is enough, there are requests inside the answers), and if the domain name matches with a regular expression, it prints the address from the A record (what happened as a result of the resolution).

Using this utility, you can collect almost all the statistics - which domain name was resolved into an IP address, and when it happened. A trained user, of course, can hide this information (by writing a node to the hosts file, or using another channel for DNS queries, for example), but for the bulk of the nodes we get a satisfactory picture.

How it works:

$ sudo ./sidmat eth0 "." iu

We see the domain names and in what they are resolved (eth0 is the interface on which the DNS traffic passes).

$ sudo ./sidmat eth0 "." iu | while IFS= read -r line; do printf '%s\t%s\n' "$(date '+%Y-%m-%d %H:%M:%S')" "$line"; done

We fix the time. It remains to redirect the result to a file, and you can use the correspondence table. The utility can capture DNS answers using pcap (in Linux / BSD) or using the nflog mechanism in Linux.

The same technique can be used to control traffic. Filter by domain, get domain addresses with keywords in names, etc.

It must be borne in mind that management may not be very accurate. If during the time when the DNS answer reaches the user and he begins to transmit traffic to this node, we do not have time to add the address to ipset / iptables / routing table / somewhere else, then the traffic will go in the “usual” way.

In addition, a qualified user can generate false DNS answers, that is, for repression it is better to use this with caution.

A few examples:

How can I get a list of IP addresses vk.com and its subdomains resolve to? (Without the 'u' option, only unique IP addresses will be printed)

$ sudo ./sidmat eth0 "^vk.com$|\.vk.com$" d

With the options “d” or “i” you can see which domain is resolved to an IP address, “d” prints the domain name in stderr.

How to block addresses to which vk.com is allowed, its subdomains and all domains with the word odnoklassniki? (domains like avk.com will not fall under the rule, odnoklassnikii.com will fall).

$ sudo sh -c '/sidmat eth0 "^vk\.com$|\.vk\.com$|odnoklassniki" | /usr/bin/xargs -I {} /sbin/iptables -A INPUT -s {} -j DROP'

In addition to small regular expressions, you can use lists in the file (option “f”, the second argument is interpreted as the file name, its contents as one large regular expression). The lists can be quite large, we looked at performance on the ILN domain list (traffic to forbidden domains was redirected to the VPN), and a regular PC router managed this quite calmly.

Also popular now: