dnstap whoami
play

dnstap-whoami Robert Edmonds (edmonds@fsi.io) Farsight Security, - PowerPoint PPT Presentation

Jan 27, 2023 •15 likes •265 views

dnstap-whoami Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc. Intro DNS nameservers that return custom responses Diagnostics Experimentation Result passed through to the original client Examples: DNS whoami

  1. dnstap-whoami Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc.

  2. Intro  DNS nameservers that return custom responses – Diagnostics – Experimentation  Result passed through to the original client  Examples: – DNS “whoami” – OARC port and reply size tests dnstap-whoami Slide 2 of 25

  3. DNS “whoami”  Query for type A  Get resolver IPv4 address in record data dnstap-whoami Slide 3 of 25

  4. $ dig +short @8.8.8.8 whoami.akamai.net 74.125.177.51 dnstap-whoami Slide 4 of 25

  5. Anycasted service address $ dig +short @8.8.8.8 whoami.akamai.net 74.125.177.51 dnstap-whoami Slide 5 of 25

  6. Unicast resolver address $ dig +short @8.8.8.8 whoami.akamai.net 74.125.177.51 dnstap-whoami Slide 6 of 25

  7. OARC port and reply size tests  Client sends query to resolver  Nameserver forces resolver to perform multiple queries  Get information about source port randomization, EDNS buffer size dnstap-whoami Slide 7 of 25

  8. $ dig +short porttest.dns-oarc.net TXT porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i .h.g.f.e.d.c.b.a.pt.dns-oarc.net. "70.89.251.89 is GREAT: 75 queries in 2.1 seconds from 75 ports with std dev 17022" dnstap-whoami Slide 8 of 25

  9. $ dig +short rs.dns-oarc.net TXT rst.x4050.rs.dns-oarc.net. rst.x4058.x4050.rs.dns-oarc.net. rst.x4064.x4058.x4050.rs.dns-oarc.net. "70.89.251.89 DNS reply size limit is at least 4064" "70.89.251.89 sent EDNS buffer size 4096" "Tested at 2015-09-23 18:26:16 UTC" dnstap-whoami Slide 9 of 25

  10. dnstap-whoami  Encode the resolver's wire query (plus metadata) into the response RR  Makes resolver information visible to client, e.g.: – IPv4/IPv6 query source address – TCP/UDP query source port – EDNS buffer size – EDNS0 options (client-subnet, cookies, etc.) – 0x20 dnstap-whoami Slide 10 of 25

  11. dnstap-whoami  Uses dnstap protobuf schema for encoding ✔ Compact, extensible ✘ Not human readable, requires decoder tool dnstap-whoami Slide 11 of 25

  12. dnstap-whoami  Query whoami.dnstap.info type NULL for IPv4 $ dig +short whoami.dnstap.info NULL  Query whoami6.dnstap.info type NULL for IPv6 $ dig +short whoami6.dnstap.info NULL dnstap-whoami Slide 12 of 25

  13. $ dig +short @8.8.8.8 whoami.dnstap.info NULL \# 89 72550801100122044A7D2A37309FFD03408BEE8BB0054D096A312F52 3A1555001000010000000000010677686F616D6906646E7374617004 696E666F00000A0001000029100000008000000B0008000700011800 4659FB7801 dnstap-whoami Slide 13 of 25

  14. $ dig +short @8.8.8.8 whoami.dnstap.info NULL | \ cut -f3- -d' ' | xxd -r -p | hd 00000000 72 55 08 01 10 01 22 04 4a 7d 2a 37 30 9f fd 03 |rU....".J}*70...| 00000010 40 8b ee 8b b0 05 4d 09 6a 31 2f 52 3a 15 55 00 |@.....M.j1/R:.U.| 00000020 10 00 01 00 00 00 00 00 01 06 77 68 6f 61 6d 69 |..........whoami| 00000030 06 64 6e 73 74 61 70 04 69 6e 66 6f 00 00 0a 00 |.dnstap.info....| 00000040 01 00 00 29 10 00 00 00 80 00 00 0b 00 08 00 07 |...)............| 00000050 00 01 18 00 46 59 fb 78 01 |....FY.x.| 00000059 dnstap-whoami Slide 14 of 25

  15. $ dig +short @8.8.8.8 whoami.dnstap.info NULL | \ cut -f3- -d' ' | xxd -r -p | \ protoc --decode=dnstap.Dnstap ./dnstap.proto message { type: AUTH_QUERY socket_family: INET query_address: "J}*7" query_port: 65183 query_time_sec: 1443034891 query_time_nsec: 791767561 query_message: "\025U\000\020\000\001\000\000\000\000\000\001\00 6whoami\006dnstap\004info\000\000\n\000\001\000\0 00)\020\000\000\000\200\000\000\013\000\010\000\0 07\000\001\030\000FY\373" } type: MESSAGE dnstap-whoami Slide 15 of 25

  16. $ dig +short @8.8.8.8 whoami.dnstap.info NULL | \ cut -f3- -d' ' | xxd -r -p | \ protoc --decode=dnstap.Dnstap ./dnstap.proto message { type: AUTH_QUERY socket_family: INET query_address: "J}*7" query_port: 65183 query_time_sec: 1443034891 query_time_nsec: 791767561 query_message: "\025U\000\020\000\001\000\000\000\000\000\001\00 6whoami\006dnstap\004info\000\000\n\000\001\000\0 00)\020\000\000\000\200\000\000\013\000\010\000\0 07\000\001\030\000FY\373" } type: MESSAGE dnstap-whoami Slide 16 of 25

  17. $ dig +short @8.8.8.8 whoami.dnstap.info NULL | \ dnstap-ldns -xy type: MESSAGE message: type: AUTH_QUERY query_time: !!timestamp 2015-09-23 19:01:31.791767 socket_family: INET query_address: 74.125.42.55 query_port: 65183 query_message: | ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 5461 ;; flags: cd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;whoami.dnstap.info. IN NULL ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; EDNS: version 0; flags: do ; udp: 4096 ;; Data: \# 11 00080007000118004659fb --- dnstap-whoami Slide 17 of 25

  18. $ dig +short @8.8.8.8 whoami.dnstap.info NULL | \ dnstap-ldns -xy type: MESSAGE message: type: AUTH_QUERY query_time: !!timestamp 2015-09-23 19:01:31.791767 socket_family: INET query_address: 74.125.42.55 query_port: 65183 query_message: | ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 5461 ;; flags: cd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;whoami.dnstap.info. IN NULL ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; EDNS: version 0; flags: do ; udp: 4096 ;; Data: \# 11 00080007000118004659fb --- dnstap-whoami Slide 18 of 25

  19. $ dig +short @8.8.8.8 whoami.dnstap.info NULL | \ dnstap-ldns -xy type: MESSAGE message: type: AUTH_QUERY query_time: !!timestamp 2015-09-23 19:01:31.791767 socket_family: INET query_address: 74.125.42.55 query_port: 65183 query_message: | ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 5461 ;; flags: cd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;whoami.dnstap.info. IN NULL ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; EDNS: version 0; flags: do ; udp: 4096 ;; Data: \# 11 00080007000118004659fb --- dnstap-whoami Slide 19 of 25

  20. $ dig +short @8.8.8.8 whoami.dnstap.info NULL | \ dnstap-ldns -xy type: MESSAGE message: type: AUTH_QUERY query_time: !!timestamp 2015-09-23 19:01:31.791767 socket_family: INET query_address: 74.125.42.55 query_port: 65183 query_message: | ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 5461 ;; flags: cd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;whoami.dnstap.info. IN NULL ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; EDNS: version 0; flags: do ; udp: 4096 ;; Data: \# 11 00080007000118004659fb --- dnstap-whoami Slide 20 of 25

  21. $ dig +short @8.8.8.8 whoami.dnstap.info NULL | \ dnstap-ldns -xy type: MESSAGE message: type: AUTH_QUERY query_time: !!timestamp 2015-09-23 19:01:31.791767 socket_family: INET query_address: 74.125.42.55 query_port: 65183 query_message: | ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 5461 ;; flags: cd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;whoami.dnstap.info. IN NULL ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; EDNS: version 0; flags: do ; udp: 4096 ;; Data: \# 11 00080007000118004659fb --- dnstap-whoami Slide 21 of 25

  22. $ dig +short @8.8.8.8 whoami.dnstap.info NULL | \ dnstap-ldns -xy type: MESSAGE message: type: AUTH_QUERY query_time: !!timestamp 2015-09-23 19:01:31.791767 socket_family: INET query_address: 74.125.42.55 query_port: 65183 query_message: | ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 5461 ;; flags: cd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;whoami.dnstap.info. IN NULL ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; EDNS: version 0; flags: do ; udp: 4096 ;; Data: \# 11 00080007000118004659fb --- dnstap-whoami Slide 22 of 25

  23. Source code  Reference decoding tool – https://github.com/dnstap/dnstap-ldns  Custom nameserver – https://github.com/dnstap/dnstap-evldns  Protobuf schema – https://github.com/dnstap/dnstap.pb dnstap-whoami Slide 23 of 25

  24. Special thanks  Ray Bellis, for his “evldns” DNS server framework – https://github.com/raybellis/evldns dnstap-whoami Slide 24 of 25

  25. Thanks! dnstap-whoami Slide 25 of 25

Recommend

dnstap: introduction and status update Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc.

dnstap: introduction and status update Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc.

dnstap: introduction and status update Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc. URL http://dnstap.info Documentation Presentations Tutorials Mailing list Downloads Code repositories dnstap Slide 2 of

336 views • 18 slides
dnstap (brief intro and update) Merike Kaeo

dnstap (brief intro and update) Merike Kaeo

dnstap (brief intro and update) Merike Kaeo merike@interne6den6ty.com NANOG61 - DNS Track dnstap What is it? High speed DNS logging without

420 views • 12 slides
dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight

dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight

dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc. URL http://dnstap.info Documentation Presentations Tutorials Mailing list Downloads Code repositories

695 views • 42 slides
Passive DNS Collection and Analysis The 'dnstap' (&amp; fstrm) Approach Farsight Security, Inc.

Passive DNS Collection and Analysis The 'dnstap' (&amp; fstrm) Approach Farsight Security, Inc.

Passive DNS Collection and Analysis The 'dnstap' (&amp; fstrm) Approach Farsight Security, Inc. December 2014 Importance of Measuring DNS High volume low latency datagram protocol Channel 202; 40 sources; 1,657,398,226,932 bytes/day;

196 views • 19 slides
The 'dnstap' Approach Dr. Paul Vixie, CEO Farsight Security, Inc. 2014-01-16 Charleston, SC

The 'dnstap' Approach Dr. Paul Vixie, CEO Farsight Security, Inc. 2014-01-16 Charleston, SC

Passive DNS Collection and Analysis The 'dnstap' Approach Dr. Paul Vixie, CEO Farsight Security, Inc. 2014-01-16 Charleston, SC Importance of Measuring DNS High volume low latency datagram protocol sie-xyzzy1 547,128,709,757 bytes,

323 views • 17 slides
dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc.

dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc.

dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc. Unifying the Global Response to Cybercrime Credits &amp; More Info Design &amp; Implementation: Robert Edmonds &lt;edmonds@fsi.io&gt; Website:

786 views • 40 slides
Platforms FTW! Matt OKeefe $ whoami Developer -&gt; Architect -&gt; CTO $ whoami

Platforms FTW! Matt OKeefe $ whoami Developer -&gt; Architect -&gt; CTO $ whoami

Platforms FTW! Matt OKeefe $ whoami Developer -&gt; Architect -&gt; CTO $ whoami -O RLY? Developer -&gt; Architect -&gt; CTO What is a Platform? Mise en place for developers In slightly more technical terms

622 views • 39 slides
basho Thursday, 11 April 13 $ Thursday, 11 April 13 $ whoami Thursday, 11 April 13 $ whoami

basho Thursday, 11 April 13 $ Thursday, 11 April 13 $ whoami Thursday, 11 April 13 $ whoami

Killing pigs and saving Danish bacon GOTO Zurich Zurich, Switzerland 11th April 2013 basho Thursday, 11 April 13 $ Thursday, 11 April 13 $ whoami Thursday, 11 April 13 $ whoami Name: Matthew Revell Title:

1.55k views • 111 slides
Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami

Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami

Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami scriptjunkie Security research Metasploit contributor whoami wrote this thing whoami I work here Disclaimer This

1.02k views • 76 slides
Myth Busters Open source and Security By Aseem Jakhar $ whoami $ whoami We break break

Myth Busters Open source and Security By Aseem Jakhar $ whoami $ whoami We break break

Myth Busters Open source and Security By Aseem Jakhar $ whoami $ whoami We break break things! things! We $ whoami When not working, we do charity $ whoami When not working, we do charity By breaking products for free :)

659 views • 28 slides
HIGH-PERFORMANCE VMS USING OPENSTACK NOVA by Nikola ipanov $ WHOAMI $ WHOAMI Software

HIGH-PERFORMANCE VMS USING OPENSTACK NOVA by Nikola ipanov $ WHOAMI $ WHOAMI Software

HIGH-PERFORMANCE VMS USING OPENSTACK NOVA by Nikola ipanov $ WHOAMI $ WHOAMI Software engineer @ Red Hat Working on OpenStack Nova since 2012 Nova core developer since 2013 THIS TALK THIS TALK OpenStack - the elastic cloud High-perf

455 views • 34 slides
Taking you API to the next level Django Rest Framework $whoami Carlos Martnez Backend

Taking you API to the next level Django Rest Framework $whoami Carlos Martnez Backend

Taking you API to the next level Django Rest Framework $whoami Carlos Martnez Backend Developer en twitter @carlosmart626 github carlosmart626 https://carlosmart.co $whoami Colombia @carlosmart626 $whoami @carlosmart626 5

945 views • 65 slides
Machine Learning What, how, why? Rmi Emonet (@remiemonet) 2015-09-30 Web En Vert $ whoami $

Machine Learning What, how, why? Rmi Emonet (@remiemonet) 2015-09-30 Web En Vert $ whoami $

Machine Learning What, how, why? Rmi Emonet (@remiemonet) 2015-09-30 Web En Vert $ whoami $ whoami Software Engineer Researcher: machine learning, computer vision Teacher: web technologies, computing literacy Geek: deck.js slides,

626 views • 58 slides
Powering Flexible Payments in the Cloud with Kubernetes whoami Ana Calin Systems Engineer

Powering Flexible Payments in the Cloud with Kubernetes whoami Ana Calin Systems Engineer

Powering Flexible Payments in the Cloud with Kubernetes whoami Ana Calin Systems Engineer @Paybase Twitter: @AnaMariaCalin 3 01 whoami 02 About Paybase 03 Things weve achieved so far 04 Our tech stack Table of Contents 05

970 views • 37 slides
Steroids [root@tools ~]# whoami Martin (purehate) Bos Core Developer for Backtrack Linux

Steroids [root@tools ~]# whoami Martin (purehate) Bos Core Developer for Backtrack Linux

Password Cracking on Steroids [root@tools ~]# whoami Martin (purehate) Bos Core Developer for Backtrack Linux Owner of Computer Rehab Co-Founder Question-Defense Security Enthusiast [root@tools ~]# whoami Alex (dakykilla) Kah

392 views • 37 slides
Deep Dive on the React Lifecycle @jcreamer898 http:/ /bit.ly/react-lifecycle 1 whoami

Deep Dive on the React Lifecycle @jcreamer898 http:/ /bit.ly/react-lifecycle 1 whoami

Deep Dive on the React Lifecycle @jcreamer898 http:/ /bit.ly/react-lifecycle 1 whoami Jonathan Creamer @jcreamer898 http:/ /bit.ly/react-lifecycle 2 whoami Currently Senior Front End Engineer at Lonely Planet Past JavaScript

1.01k views • 77 slides
Web Technologies in Java EE JAX-RS 2.0, JSON-P, WebSocket, JSF 2.2 $ whoami Luk Fry

Web Technologies in Java EE JAX-RS 2.0, JSON-P, WebSocket, JSF 2.2 $ whoami Luk Fry

Web Technologies in Java EE JAX-RS 2.0, JSON-P, WebSocket, JSF 2.2 $ whoami Luk Fry Software Engineer, JBoss, Red Hat AeroGear, (Arquillian, RichFaces) Interests HTML5, Web Components, AngularJS Living and

1.17k views • 83 slides
whoami BSEE, digital communica0ons Many years as a

whoami BSEE, digital communica0ons Many years as a

Beyond the Applica0on Cellular Privacy Regula0on Chris0e Dudley @longobord cdudley@scu.edu whoami BSEE, digital communica0ons Many years as a

602 views • 28 slides
Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
Architecture of an NLP Deployment whoami 2 @texasmichelle Agenda 1 2 3 4 5 Evolution

Architecture of an NLP Deployment whoami 2 @texasmichelle Agenda 1 2 3 4 5 Evolution

Michelle Casbon QCon So Paulo May 9, 2018 Architecture of an NLP Deployment whoami 2 @texasmichelle Agenda 1 2 3 4 5 Evolution of NLP Components Guiding principles Implementations Future architectures 3 @texasmichelle

641 views • 39 slides
mimikatz 2.0 Benjamin DELPY ` gentilkiwi ` Our little story `whoami`, why am I doing this?

mimikatz 2.0 Benjamin DELPY ` gentilkiwi ` Our little story `whoami`, why am I doing this?

mimikatz 2.0 Benjamin DELPY ` gentilkiwi ` Our little story `whoami`, why am I doing this? mimikatz 2.0 &amp; sekurlsa Focus on Windows 8.1 et 2012r2 Kerberos &amp; strong authentication Questions / Answers And of course, some demos during

970 views • 30 slides
How NOT to code your ransomware Liviu Itoaf About Me $ whoami Security Researcher @

How NOT to code your ransomware Liviu Itoaf About Me $ whoami Security Researcher @

How NOT to code your ransomware Liviu Itoaf About Me $ whoami Security Researcher @ Kaspersky Hands-on work: coding, reverse engineering, vulnerability research Malware analysis trainings T ags: GTD (Getting Things

392 views • 24 slides
ATT&amp;CK the Attacker Assessing &amp; Improving Detection Capabilities # whoami Christian

ATT&amp;CK the Attacker Assessing &amp; Improving Detection Capabilities # whoami Christian

ATT&amp;CK the Attacker Assessing &amp; Improving Detection Capabilities # whoami Christian Kollee Studied Computer Science at University of Erlangen- Nueremberg (Diplom-Informatik) Several years at various universities and at

551 views • 19 slides
Why Antivirus Software whoami IT-Security Consultant Doing pentesting since two years

Why Antivirus Software whoami IT-Security Consultant Doing pentesting since two years

Why Antivirus Software whoami IT-Security Consultant Doing pentesting since two years This talk is based on private research Before that experience as windows/linux/network admin, a little as web developer and so on...

1.06k views • 49 slides

More recommend