• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

doc/H03-May-2022-614491

etc/H25-Mar-2021-323241

src/H25-Mar-2021-4,2563,433

tools/H03-May-2022-734432

www/H25-Mar-2021-178137

.gitignoreH A D25-Mar-2021296 2925

Makefile.amH A D25-Mar-202142 42

READMEH A D25-Mar-20214.6 KiB9172

bootstrapH A D25-Mar-2021290 209

configure.acH A D25-Mar-20218 KiB294229

pdns.patchH A D25-Mar-20211.4 KiB5847

README

1#
2#  ______                                           ____   __  __  _____
3# |  __  |                         @               |    \ |  \ | ||  ___| (TM)
4# | _____|.------. .-----. .-----. _ -. .-.------. | |\  ||   \| ||___  |
5# |  |    |  __  ||__  --'|__  --'| |\ Y /| _--__|_| |/  ||      || \_| |
6# |__|    |____|_||______||______||_| \_/ |_______/|____/ |__|\__||_____|
7#
8#
9
10A tool to collect DNS records passively to aid Incident handling, Network
11Security Monitoring (NSM) and general digital forensics.
12
13PassiveDNS sniffs traffic from an interface or reads a pcap-file and outputs
14the DNS-server answers to a log file. PassiveDNS can cache/aggregate duplicate
15DNS answers in-memory, limiting the amount of data in the logfile without
16losing the essense in the DNS answer.
17
18Example output from version 1.0.0->Current in the log file (/var/log/passivedns.log):
19
20#timestamp||dns-client ||dns-server||RR class||Query||Query Type||Answer||TTL||Count
211322849924.408856||10.1.1.1||8.8.8.8||IN||upload.youtube.com.||A||74.125.43.117||46587||5
221322849924.408857||10.1.1.1||8.8.8.8||IN||upload.youtube.com.||A||74.125.43.116||420509||5
231322849924.408858||10.1.1.1||8.8.8.8||IN||www.adobe.com.||CNAME||www.wip4.adobe.com.||43200||8
241322849924.408859||10.1.1.1||8.8.8.8||IN||www.adobe.com.||A||193.104.215.61||43200||8
251322849924.408860||10.1.1.1||8.8.8.8||IN||i1.ytimg.com.||CNAME||ytimg.l.google.com.||43200||3
261322849924.408861||10.1.1.1||8.8.8.8||IN||clients1.google.com.||A||173.194.32.3||43200||2
27
28PassiveDNS works on IPv4 and IPv6 traffic and parse DNS traffic over TCP and UDP.
29
30** How can PassiveDNS be used: **
31
32Typical usages:
33
341) Search for domain or IP history when working on an incident.
35   Example:
36   Company has malware talking to bad.twittertoday.com.
37   At current time, the domain is resolving to say 202.29.94.200
38   You search your Flowdata and find the clients talking to that IP and
39   remidate. You look at the Flowdata, and you discover that the date
40   and time the clients first talked to that IP, and concludes that as
41   the time of infection...
42
43   But using PassiveDNS data, quering the domain, you get following history:
44
45 FirstSeen  | LastSeen   | TYPE | TTL |        Query         |   Answer
46----------------------------------------------------------------------------
47 2011-12-01 | 2011-12-11 |    A |  60 | bad.twittertoday.com |  71.51.115.11
48 2011-12-11 | 2011-12-18 |    A |  60 | bad.twittertoday.com |     127.0.0.1
49 2011-12-18 | 2012-01-14 |    A |  60 | bad.twittertoday.com | 202.29.94.200
50
51   Going back and searching for 71.51.115.11 in your Flowdata, you find
52   traffic back to the FirstSeen data, and you also see more clients
53   initially infected (so you did not manage to remidate/check out all your
54   clients in the first run by just looking at IP 202.29.94.200). Doing
55   forensics on the the clients you missed in the first run, reveals that
56   they have downloaded a different malware and deleted the initial one,
57   that beeing the reason you did not see flows from them to 202.29.94.200.
58   The new malware gives you new domains and IPs to go look for...
59
602) Say you have an indication of malicious C&C traffic going to an IP on
61   port 80. The domain used by the alleged malware is supposed to be
62   cc.twittertoday.com. Searching you Flowdata, reveals lots of clients
63   talking to that IP, and you might think that the whole company is p0wned.
64   A quick search in your PassiveDNS DB shows you that the IP in question is
65   also hosting 300 + websites and you might even spot a website hosted on
66   that IP that you are familiar with and that you know lots of people in the
67   company would legit visit daily.
68   Searching your PassiveDNS DB gives you no hits for the domain in question,
69   hopefully meaning that you dont have that malware talking to that domain
70   in your network.
71
723) You know that *.twittertoday.com are often used in malware and the
73   subdomains change randomly. Many have rules for such domains in their
74   IDS/IPS, sucking up unnecessary juice from the systems. Having a script
75   pre-loaded with a list of regexp of domains and subdomains to watch for
76   and giving you an alert when they hit will give you much better detection
77   on threat based on domains.
78
79   You can also do a whois for all new top domains seen, correlate the whois
80   info with a list of know bad info, such as the name of the person or
81   company that has registered the domain, telephone/fax numbers, address
82   and so on, ending up with a score that might be high enough for triggering
83   an alert to you :)
84
85
86Questions, suggestions, sugar or flame is always welcome :)
87
88I hope PassiveDNS gives you a new tool to fight malware and its herders...
89
90(c)2011-2020  -  Edward Bjarte Fjellskål
91