dnstap whoami
play

dnstap-whoami Robert Edmonds (edmonds@fsi.io) Farsight Security, - PowerPoint PPT Presentation

Jan 27, 2023 •15 likes •265 views

dnstap-whoami Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc. Intro DNS nameservers that return custom responses Diagnostics Experimentation Result passed through to the original client Examples: DNS whoami

  1. dnstap-whoami Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc.

  2. Intro  DNS nameservers that return custom responses – Diagnostics – Experimentation  Result passed through to the original client  Examples: – DNS “whoami” – OARC port and reply size tests dnstap-whoami Slide 2 of 25

  3. DNS “whoami”  Query for type A  Get resolver IPv4 address in record data dnstap-whoami Slide 3 of 25

  4. $ dig +short @8.8.8.8 whoami.akamai.net 74.125.177.51 dnstap-whoami Slide 4 of 25

  5. Anycasted service address $ dig +short @8.8.8.8 whoami.akamai.net 74.125.177.51 dnstap-whoami Slide 5 of 25

  6. Unicast resolver address $ dig +short @8.8.8.8 whoami.akamai.net 74.125.177.51 dnstap-whoami Slide 6 of 25

  7. OARC port and reply size tests  Client sends query to resolver  Nameserver forces resolver to perform multiple queries  Get information about source port randomization, EDNS buffer size dnstap-whoami Slide 7 of 25

  8. $ dig +short porttest.dns-oarc.net TXT porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i .h.g.f.e.d.c.b.a.pt.dns-oarc.net. "70.89.251.89 is GREAT: 75 queries in 2.1 seconds from 75 ports with std dev 17022" dnstap-whoami Slide 8 of 25

  9. $ dig +short rs.dns-oarc.net TXT rst.x4050.rs.dns-oarc.net. rst.x4058.x4050.rs.dns-oarc.net. rst.x4064.x4058.x4050.rs.dns-oarc.net. "70.89.251.89 DNS reply size limit is at least 4064" "70.89.251.89 sent EDNS buffer size 4096" "Tested at 2015-09-23 18:26:16 UTC" dnstap-whoami Slide 9 of 25

  10. dnstap-whoami  Encode the resolver's wire query (plus metadata) into the response RR  Makes resolver information visible to client, e.g.: – IPv4/IPv6 query source address – TCP/UDP query source port – EDNS buffer size – EDNS0 options (client-subnet, cookies, etc.) – 0x20 dnstap-whoami Slide 10 of 25

  11. dnstap-whoami  Uses dnstap protobuf schema for encoding ✔ Compact, extensible ✘ Not human readable, requires decoder tool dnstap-whoami Slide 11 of 25

  12. dnstap-whoami  Query whoami.dnstap.info type NULL for IPv4 $ dig +short whoami.dnstap.info NULL  Query whoami6.dnstap.info type NULL for IPv6 $ dig +short whoami6.dnstap.info NULL dnstap-whoami Slide 12 of 25

  13. $ dig +short @8.8.8.8 whoami.dnstap.info NULL \# 89 72550801100122044A7D2A37309FFD03408BEE8BB0054D096A312F52 3A1555001000010000000000010677686F616D6906646E7374617004 696E666F00000A0001000029100000008000000B0008000700011800 4659FB7801 dnstap-whoami Slide 13 of 25

  14. $ dig +short @8.8.8.8 whoami.dnstap.info NULL | \ cut -f3- -d' ' | xxd -r -p | hd 00000000 72 55 08 01 10 01 22 04 4a 7d 2a 37 30 9f fd 03 |rU....".J}*70...| 00000010 40 8b ee 8b b0 05 4d 09 6a 31 2f 52 3a 15 55 00 |@.....M.j1/R:.U.| 00000020 10 00 01 00 00 00 00 00 01 06 77 68 6f 61 6d 69 |..........whoami| 00000030 06 64 6e 73 74 61 70 04 69 6e 66 6f 00 00 0a 00 |.dnstap.info....| 00000040 01 00 00 29 10 00 00 00 80 00 00 0b 00 08 00 07 |...)............| 00000050 00 01 18 00 46 59 fb 78 01 |....FY.x.| 00000059 dnstap-whoami Slide 14 of 25

  15. $ dig +short @8.8.8.8 whoami.dnstap.info NULL | \ cut -f3- -d' ' | xxd -r -p | \ protoc --decode=dnstap.Dnstap ./dnstap.proto message { type: AUTH_QUERY socket_family: INET query_address: "J}*7" query_port: 65183 query_time_sec: 1443034891 query_time_nsec: 791767561 query_message: "\025U\000\020\000\001\000\000\000\000\000\001\00 6whoami\006dnstap\004info\000\000\n\000\001\000\0 00)\020\000\000\000\200\000\000\013\000\010\000\0 07\000\001\030\000FY\373" } type: MESSAGE dnstap-whoami Slide 15 of 25

  16. $ dig +short @8.8.8.8 whoami.dnstap.info NULL | \ cut -f3- -d' ' | xxd -r -p | \ protoc --decode=dnstap.Dnstap ./dnstap.proto message { type: AUTH_QUERY socket_family: INET query_address: "J}*7" query_port: 65183 query_time_sec: 1443034891 query_time_nsec: 791767561 query_message: "\025U\000\020\000\001\000\000\000\000\000\001\00 6whoami\006dnstap\004info\000\000\n\000\001\000\0 00)\020\000\000\000\200\000\000\013\000\010\000\0 07\000\001\030\000FY\373" } type: MESSAGE dnstap-whoami Slide 16 of 25

  17. $ dig +short @8.8.8.8 whoami.dnstap.info NULL | \ dnstap-ldns -xy type: MESSAGE message: type: AUTH_QUERY query_time: !!timestamp 2015-09-23 19:01:31.791767 socket_family: INET query_address: 74.125.42.55 query_port: 65183 query_message: | ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 5461 ;; flags: cd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;whoami.dnstap.info. IN NULL ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; EDNS: version 0; flags: do ; udp: 4096 ;; Data: \# 11 00080007000118004659fb --- dnstap-whoami Slide 17 of 25

  18. $ dig +short @8.8.8.8 whoami.dnstap.info NULL | \ dnstap-ldns -xy type: MESSAGE message: type: AUTH_QUERY query_time: !!timestamp 2015-09-23 19:01:31.791767 socket_family: INET query_address: 74.125.42.55 query_port: 65183 query_message: | ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 5461 ;; flags: cd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;whoami.dnstap.info. IN NULL ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; EDNS: version 0; flags: do ; udp: 4096 ;; Data: \# 11 00080007000118004659fb --- dnstap-whoami Slide 18 of 25

  19. $ dig +short @8.8.8.8 whoami.dnstap.info NULL | \ dnstap-ldns -xy type: MESSAGE message: type: AUTH_QUERY query_time: !!timestamp 2015-09-23 19:01:31.791767 socket_family: INET query_address: 74.125.42.55 query_port: 65183 query_message: | ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 5461 ;; flags: cd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;whoami.dnstap.info. IN NULL ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; EDNS: version 0; flags: do ; udp: 4096 ;; Data: \# 11 00080007000118004659fb --- dnstap-whoami Slide 19 of 25

  20. $ dig +short @8.8.8.8 whoami.dnstap.info NULL | \ dnstap-ldns -xy type: MESSAGE message: type: AUTH_QUERY query_time: !!timestamp 2015-09-23 19:01:31.791767 socket_family: INET query_address: 74.125.42.55 query_port: 65183 query_message: | ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 5461 ;; flags: cd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;whoami.dnstap.info. IN NULL ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; EDNS: version 0; flags: do ; udp: 4096 ;; Data: \# 11 00080007000118004659fb --- dnstap-whoami Slide 20 of 25

  21. $ dig +short @8.8.8.8 whoami.dnstap.info NULL | \ dnstap-ldns -xy type: MESSAGE message: type: AUTH_QUERY query_time: !!timestamp 2015-09-23 19:01:31.791767 socket_family: INET query_address: 74.125.42.55 query_port: 65183 query_message: | ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 5461 ;; flags: cd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;whoami.dnstap.info. IN NULL ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; EDNS: version 0; flags: do ; udp: 4096 ;; Data: \# 11 00080007000118004659fb --- dnstap-whoami Slide 21 of 25

  22. $ dig +short @8.8.8.8 whoami.dnstap.info NULL | \ dnstap-ldns -xy type: MESSAGE message: type: AUTH_QUERY query_time: !!timestamp 2015-09-23 19:01:31.791767 socket_family: INET query_address: 74.125.42.55 query_port: 65183 query_message: | ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 5461 ;; flags: cd ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;whoami.dnstap.info. IN NULL ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; EDNS: version 0; flags: do ; udp: 4096 ;; Data: \# 11 00080007000118004659fb --- dnstap-whoami Slide 22 of 25

  23. Source code  Reference decoding tool – https://github.com/dnstap/dnstap-ldns  Custom nameserver – https://github.com/dnstap/dnstap-evldns  Protobuf schema – https://github.com/dnstap/dnstap.pb dnstap-whoami Slide 23 of 25

  24. Special thanks  Ray Bellis, for his “evldns” DNS server framework – https://github.com/raybellis/evldns dnstap-whoami Slide 24 of 25

  25. Thanks! dnstap-whoami Slide 25 of 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

dnstap: introduction and status update Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc.

dnstap: introduction and status update Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc.

dnstap: introduction and status update Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc. URL http://dnstap.info Documentation Presentations Tutorials Mailing list Downloads Code repositories dnstap Slide 2 of

336 views • 18 slides
dnstap (brief intro and update) Merike Kaeo

dnstap (brief intro and update) Merike Kaeo

dnstap (brief intro and update) Merike Kaeo merike@interne6den6ty.com NANOG61 - DNS Track dnstap What is it? High speed DNS logging without

420 views • 12 slides
dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight

dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight

dnstap : high speed DNS logging without packet capture Robert Edmonds (edmonds@fsi.io) Farsight Security, Inc. URL http://dnstap.info Documentation Presentations Tutorials Mailing list Downloads Code repositories

695 views • 42 slides
Passive DNS Collection and Analysis The 'dnstap' (&amp; fstrm) Approach Farsight Security, Inc.

Passive DNS Collection and Analysis The 'dnstap' (&amp; fstrm) Approach Farsight Security, Inc.

Passive DNS Collection and Analysis The 'dnstap' (&amp; fstrm) Approach Farsight Security, Inc. December 2014 Importance of Measuring DNS High volume low latency datagram protocol Channel 202; 40 sources; 1,657,398,226,932 bytes/day;

196 views • 19 slides
The 'dnstap' Approach Dr. Paul Vixie, CEO Farsight Security, Inc. 2014-01-16 Charleston, SC

The 'dnstap' Approach Dr. Paul Vixie, CEO Farsight Security, Inc. 2014-01-16 Charleston, SC

Passive DNS Collection and Analysis The 'dnstap' Approach Dr. Paul Vixie, CEO Farsight Security, Inc. 2014-01-16 Charleston, SC Importance of Measuring DNS High volume low latency datagram protocol sie-xyzzy1 547,128,709,757 bytes,

323 views • 17 slides
dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc.

dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc.

dnstap : high speed DNS logging without packet capture Jeroen Massar Farsight Security, Inc. Unifying the Global Response to Cybercrime Credits &amp; More Info Design &amp; Implementation: Robert Edmonds &lt;edmonds@fsi.io&gt; Website:

786 views • 40 slides
Platforms FTW! Matt OKeefe $ whoami Developer -&gt; Architect -&gt; CTO $ whoami

Platforms FTW! Matt OKeefe $ whoami Developer -&gt; Architect -&gt; CTO $ whoami

Platforms FTW! Matt OKeefe $ whoami Developer -&gt; Architect -&gt; CTO $ whoami -O RLY? Developer -&gt; Architect -&gt; CTO What is a Platform? Mise en place for developers In slightly more technical terms

622 views • 39 slides
basho Thursday, 11 April 13 $ Thursday, 11 April 13 $ whoami Thursday, 11 April 13 $ whoami

basho Thursday, 11 April 13 $ Thursday, 11 April 13 $ whoami Thursday, 11 April 13 $ whoami

Killing pigs and saving Danish bacon GOTO Zurich Zurich, Switzerland 11th April 2013 basho Thursday, 11 April 13 $ Thursday, 11 April 13 $ whoami Thursday, 11 April 13 $ whoami Name: Matthew Revell Title:

1.55k views • 111 slides
Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami

Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami

Counterattack Turning the tables on exploitation attempts from tools like Metasploit whoami scriptjunkie Security research Metasploit contributor whoami wrote this thing whoami I work here Disclaimer This

1.02k views • 76 slides
Myth Busters Open source and Security By Aseem Jakhar $ whoami $ whoami We break break

Myth Busters Open source and Security By Aseem Jakhar $ whoami $ whoami We break break

Myth Busters Open source and Security By Aseem Jakhar $ whoami $ whoami We break break things! things! We $ whoami When not working, we do charity $ whoami When not working, we do charity By breaking products for free :)

659 views • 28 slides
HIGH-PERFORMANCE VMS USING OPENSTACK NOVA by Nikola ipanov $ WHOAMI $ WHOAMI Software

HIGH-PERFORMANCE VMS USING OPENSTACK NOVA by Nikola ipanov $ WHOAMI $ WHOAMI Software

HIGH-PERFORMANCE VMS USING OPENSTACK NOVA by Nikola ipanov $ WHOAMI $ WHOAMI Software engineer @ Red Hat Working on OpenStack Nova since 2012 Nova core developer since 2013 THIS TALK THIS TALK OpenStack - the elastic cloud High-perf

455 views • 34 slides
Taking you API to the next level Django Rest Framework $whoami Carlos Martnez Backend

Taking you API to the next level Django Rest Framework $whoami Carlos Martnez Backend

Taking you API to the next level Django Rest Framework $whoami Carlos Martnez Backend Developer en twitter @carlosmart626 github carlosmart626 https://carlosmart.co $whoami Colombia @carlosmart626 $whoami @carlosmart626 5

945 views • 65 slides
Machine Learning What, how, why? Rmi Emonet (@remiemonet) 2015-09-30 Web En Vert $ whoami $

Machine Learning What, how, why? Rmi Emonet (@remiemonet) 2015-09-30 Web En Vert $ whoami $

Machine Learning What, how, why? Rmi Emonet (@remiemonet) 2015-09-30 Web En Vert $ whoami $ whoami Software Engineer Researcher: machine learning, computer vision Teacher: web technologies, computing literacy Geek: deck.js slides,

626 views • 58 slides
Powering Flexible Payments in the Cloud with Kubernetes whoami Ana Calin Systems Engineer

Powering Flexible Payments in the Cloud with Kubernetes whoami Ana Calin Systems Engineer

Powering Flexible Payments in the Cloud with Kubernetes whoami Ana Calin Systems Engineer @Paybase Twitter: @AnaMariaCalin 3 01 whoami 02 About Paybase 03 Things weve achieved so far 04 Our tech stack Table of Contents 05

970 views • 37 slides
Steroids [root@tools ~]# whoami Martin (purehate) Bos Core Developer for Backtrack Linux

Steroids [root@tools ~]# whoami Martin (purehate) Bos Core Developer for Backtrack Linux

Password Cracking on Steroids [root@tools ~]# whoami Martin (purehate) Bos Core Developer for Backtrack Linux Owner of Computer Rehab Co-Founder Question-Defense Security Enthusiast [root@tools ~]# whoami Alex (dakykilla) Kah

392 views • 37 slides
Deep Dive on the React Lifecycle @jcreamer898 http:/ /bit.ly/react-lifecycle 1 whoami

Deep Dive on the React Lifecycle @jcreamer898 http:/ /bit.ly/react-lifecycle 1 whoami

Deep Dive on the React Lifecycle @jcreamer898 http:/ /bit.ly/react-lifecycle 1 whoami Jonathan Creamer @jcreamer898 http:/ /bit.ly/react-lifecycle 2 whoami Currently Senior Front End Engineer at Lonely Planet Past JavaScript

1.01k views • 77 slides
ITS TIME FOR THE RESOLUTION TIM VERBELEN Senior Researcher imec Ghent University 1

ITS TIME FOR THE RESOLUTION TIM VERBELEN Senior Researcher imec Ghent University 1

ITS TIME FOR THE RESOLUTION TIM VERBELEN Senior Researcher imec Ghent University 1 PUBLIC ! could not resolve the bundles: [ that.awesome.library.i.found -1.0.0 org.osgi.framework.BundleException: Unable to resolve

1.13k views • 32 slides
The Effect of DNS on Tors Anonymity Benjamin Greschbach KTH Royal Institute of Technology

The Effect of DNS on Tors Anonymity Benjamin Greschbach KTH Royal Institute of Technology

The Effect of DNS on Tors Anonymity Benjamin Greschbach KTH Royal Institute of Technology Tobias Pulls Karlstad University Laura M. Roberts Princeton University Philipp Winter Princeton University Nick Feamster Princeton University 1

438 views • 42 slides
11/2/2018 Nattawoot Koowattanatianchai 1 Investment Analysis &amp; Portfolio Management

11/2/2018 Nattawoot Koowattanatianchai 1 Investment Analysis &amp; Portfolio Management

11/2/2018 Nattawoot Koowattanatianchai 1 Investment Analysis &amp; Portfolio Management Assistant Professor Nattawoot Koowattanatianchai, DBA, CFA 11/2/2018 Nattawoot Koowattanatianchai 2 Em Email: : fbusn snwk@k wk@ku. u.ac.

746 views • 42 slides
Week 1: Introduction to Remote Learning Format, Policies, Guiding Principles Max H. Farrell The

Week 1: Introduction to Remote Learning Format, Policies, Guiding Principles Max H. Farrell The

BUS 41100 Applied Regression Analysis Week 1: Introduction to Remote Learning Format, Policies, Guiding Principles Max H. Farrell The University of Chicago Booth School of Business Remote Instruction Guiding Principles Be patient Be

513 views • 49 slides
Ordinary DNS: www.google.com A? Client's k.root-servers.net com. NS a.gtld-servers.net Resolver

Ordinary DNS: www.google.com A? Client's k.root-servers.net com. NS a.gtld-servers.net Resolver

Ordinary DNS: www.google.com A? Client's k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net A 192.5.6.30 www.google.com A? Client's a.gtld-servers.net google.com. NS ns1.google.com Resolver ns1.google.com A

375 views • 13 slides
Welcome! Office Hours will start at 2pm and run until 3pm Please mute your microphone As time

Welcome! Office Hours will start at 2pm and run until 3pm Please mute your microphone As time

I-SHARE ALMA PRIMO VE OFFICE HOURS WILL START SHORTLY Welcome! Office Hours will start at 2pm and run until 3pm Please mute your microphone As time permits, we will respond to questions typed in the chat box, and offline afterwards, as needed

298 views • 9 slides
Using R to Analyze Recruiting Pipelines Maryam Jahanshahi Scientist @ TapRecruit @mjahanshahi

Using R to Analyze Recruiting Pipelines Maryam Jahanshahi Scientist @ TapRecruit @mjahanshahi

Using R to Analyze Recruiting Pipelines Maryam Jahanshahi Scientist @ TapRecruit @mjahanshahi Jenny Dearborn @ DearbornJenny If you were to ask your CFO to make a decision, she would rely on facts, not opinions. In contrast, for years, the HR

307 views • 12 slides
The Evolving Architecture of the Web Nick Sullivan Head of Cryptography CFSSL Universal SSL

The Evolving Architecture of the Web Nick Sullivan Head of Cryptography CFSSL Universal SSL

The Evolving Architecture of the Web Nick Sullivan Head of Cryptography CFSSL Universal SSL Keyless SSL Privacy Pass Geo Key Manager Recently Standards work TLS 1.3 C on peting Goals make browsing more performant private HTTP DNS

789 views • 77 slides

More recommend