dnssnarf

5 Dec 2009 ,

Domain Name System (DNS) traffic is inherently timely. Responses from DNS servers are expected to change from one minute to the next. So many important application layer protocols leverage DNS, and it is so pervasively necessary for even basic Internet access, and it is such a simple behavior indicator, that it only makes sense to log the crap out of it. In minutiae.

Yet, it seems like DNS logging is still one of those everyone-rolls-their-own efforts. And fewer still log DNS from a sniffing sensor, instead trusting their DNS servers. I hate rolling my own, and I don’t trust DNS servers.

I’ve borrowed a healthy dozen or more security monitoring ideas from Sean Wilkerson, so while he was still on stage after a talk at DojoSec, I re-raised my DNS Logging plight. I’d hoped he knew of a tool, or could use the microphone, video stream, and audience to ask that someone create one. Actually, I didn’t hope, I specifically said “And hey, if anyone is listening, this needs to exist. If you can create, you are obligated.” or something along those lines.

I wasn’t looking for an analysis tool, or a log parser, or an IDS signature. I just wanted the equivalent of the many snarf programs in Dug Song’s dsniff package. It had to be lightweight, reliably parse all application traffic of the DNS protocol, and simply log it. Dsniff already does that for HTTP, NFS, SMTP, IRC, and many instant messenger protocols, and it can spoof DNS, but has nothing for passive DNS monitoring.

It worked! Sort of.

Christopher McBee was in the audience, and he knew that Python and Scapy would probably be capable. In twenty minutes, he had a working DNS logger. Awesome.

It didn’t log minutiae, but that wasn’t Scapy’s fault. It didn’t log TCP, and that is still Scapy’s fault.

Spurred by Christopher’s work, I dove into Python and finished it to my original spec, mostly.

> dnssnarf --help
usage:
  dnssnarf [options]

Log DNS messages with Python and Scapy

options:
  --version show program version number and exit
  -h, --help show this help message and exit
  -s, --syslog write to syslog
  -f FACILITY, --facility=FACILITY Syslog facility. Defaults: 'user'
  -p PRIORITY, --priority=PRIORITY Syslog priority. Defaults: 'info'
  -i INTERFACE, --interface=INTERFACE listen on INTERFACE
  -q, --quiet quiet output
  -b BPF, --bpf=BPF BPF to apply to scapy sniffer. Default: 'port 53 and udp'
  -n, --named named query log format
  -d, --debug Print additional debugging information

It doesn’t understand TCP DNS, because Scapy doesn’t, and I am not smart enough to fix that.

Output looks like this by default:

Fri Dec 4 06:24:56 2009 UDP session: 44167 client: 192.168.1.1:59634 server: 69.63.185.11:53 query: login.facebook.com. class: IN type: A recurse: no
Fri Dec 4 06:24:56 2009 UDP session: 44167 client: 69.63.185.11:53 server: 192.168.1.1:59634 query: login.facebook.com. class: IN type: A recurse: no
Fri Dec 4 06:24:56 2009 UDP session: 44167 server: 69.63.185.11:53 client: 192.168.1.1:59634 response: 69.63.181.22 ok type: A ttl: 30L len: 4

So then I’m validating it against tcpdump. tcpdump already does what I want. And it isn’t Python. It’s fast. Silly us.

Here’s tcpdump with me running ‘host grantstavely.com’ in another window.

grantstavely:~ grant$ sudo tcpdump -i en1 -nn -tttt port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on en1, link-type EN10MB (Ethernet), capture size 65535 bytes 2009-12-04 06:32:32.368184 IP 192.168.1.25.61686 > 192.168.1.4.53: 50950+ A? grantstavely.com. (34)
2009-12-04 06:32:32.373623 IP 192.168.1.4.53 > 192.168.1.25.61686: 50950 1/0/0 A 75.101.142.201 (50)
2009-12-04 06:32:32.374358 IP 192.168.1.25.64909 > 192.168.1.4.53: 44029+ AAAA? grantstavely.com. (34) 2009-12-04 06:32:32.376867 IP 192.168.1.4.53 > 192.168.1.25.64909: 44029 0/0/0 (34)
2009-12-04 06:32:32.377112 IP 192.168.1.25.57526 > 192.168.1.4.53: 55171+ MX? grantstavely.com. (34)
2009-12-04 06:32:32.394888 IP 192.168.1.4.53 > 192.168.1.25.57526: 55171 8/0/0 MX smtp7.grantstavely.com. 10, MX smtp4.grantstavely.com. 10, MX smtp6.grantstavely.com. 10, MX smtp.grantstavely.com. 0, MX smtp8.grantstavely.com. 10, MX smtp2.grantstavely.com. 5, MX smtp3.grantstavely.com. 5, MX smtp5.grantstavely.com. 10 (209)

Under my nose!

Actually, tcpdump isn’t showing us ~transaction ID numbers~, TTLs, or LENs, which is a bummer. So dnssnarf still has it’s uses after all.