Private Passive DNS

[openargus]

radns.1

With v5.0.0 we introduced radns.1 ... This program represents a major use of argus's control plane capture capability, where control plane flows contain the complete contents of the control plane transaction. When configured, using the new argus.conf variable, any udp or tcp domain, or mdns flow will contain the complete contents of a DNS or mDNS transaction. Argus tracks DNS by adding the DNS transaction id to the flow key, so that each transaction is a unique network flow record.

ARGUS_CAPTURE_FULL_CONTROL_DATA=yes
ARGUS_CONTROLPLANE_PROTO="domain,mdns,mdnsresponder"

radns.1 reads argus data from an argus-data source, and extracts and tracks DNS transaction data from the argus data records. Depending on where argus is deployed, this enables you to collect all the DNS query and response information from and endpoint, DNS server, or if deployed on an external network interface, all the DNS traffic for a complete enterprise.

DNS is an exploitable system that can cause quite a bit of problems. If an adversary subverts a sites DNS, it can steer traffic to any endpoint, anywhere, and masquerade as internal or external trusted sites. A simple way of detecting this condition is to track what DNS servers are active in your site and track what addresses are being returned to DNS clients in response to queries. If you generate this data from an endpoint, you get the best opportunity to realize that a DNS exploitation is being done against the node.

Once you can generate this data, you can enable a Private Passive DNS capability. Private in that you can collect, and maintain the database yourself, without sharing your DNS transactions with a third party.

radns.1 is a flow record labeler, and can be configured to label flow records with the dns names of the saddr and daddr addresses seen in the outer IP DSR of flow records. As a flow record labeler, it can be a stage in an argus data flow stream, enhancing real-time flow records with real-time DNS metadata.

radns.1 has a lot of features:

1. Parse user data buffers to extract dns transaction contents.
2. Maintain an in memory database of DNS name requests and responses by server.
3. Label records with DNS metadata.
4. Alarm / notify when new DNS servers and clients are observed.
5. Alarm / notify when a flow's IP addresses have not been queried.
6. Provide back channel query interface to query DNS resolution state.
7. Export a complete accounting of DNS queries and responses.

Parse DNS Data

radns.1 reads flow data either from a file or a real-time stream and parses out DNS transaction data. Without any options, it prints out DNS content like tcpdump.1.

Invocation

This call reads argus(8) data from an inputfile and prints the DNS transaction content as it is parsed from the argus(8) records.

% radns -R /usr/local/argus/archive/*/en0/2024/02/05/*.05.10.0* -N 1250
   02/05.05:12:50.506561: AAAA? KitAppTV.local. :
   02/05.05:14:30.116963: AAAA? qosient.mail.pairserver.com. :  SOA pairserver.com. ns1.pair.com. root.pair.com. 2024020506 3600 300 604800 7200
   02/05.10:01:06.404054: PTR? lb._dns-sd._udp.0.129.37.10.in-addr.arpa. :  SOA 10.in-addr.arpa. prisoner.iana.org. hostmaster.root-servers.org. 1 604800 60 604800 604800
   02/05.10:01:45.717174: Type65? init.push.apple.com. :  CNAME init.push.apple.com. init.push-apple.com.akadns.net. SOA akadns.net. internal.akadns.net. hostmaster.akamai.com. 1629813934 90000 90000 90000 180
   02/05.10:01:45.717302: AAAA? init.push.apple.com. :  AAAA init.push-apple.com.akadns.net. 2620:149:208:430a::4[28],2620:149:208:430e::4[28],2620:149:208:430c::4[28],2620:149:208:430b::4[28],2620:149:208:430d::4[28] CNAME init.push.apple.com. init.push-apple.com.akadns.net.
   02/05.10:01:45.717432: A? init.push.apple.com. :  A init.push-apple.com.akadns.net. 17.188.179.2[16],17.188.178.2[16],17.188.178.226[16],17.188.178.34[16],17.188.143.158[16],17.188.143.157[16],17.188.179.34[16],17.188.143.187[16] CNAME init.push.apple.com. init.push-apple.com.akadns.net.
   02/05.10:01:45.736437: Type65? init.push-apple.com.akadns.net. :  SOA akadns.net. internal.akadns.net. hostmaster.akamai.com. 1629813934 90000 90000 90000 180

This call reads argus(8) data from inputfile and uses the -q option to suppress DNS transaction reporting. radns(1) caches its DNS server, clients and transaction data in memory, and when finished reading data, resolve queries about the data.

In this example, it reads a days of data and looks up references to a specific DNS query, printing its output as json data.

% radns -M json -R /usr/local/argus/archive/*/en0/2024/02/05 -qM search:qosient.com.
   { "name":"qosient.com.", "ref":"3", "stime":"1707147521","ltime":"1707183149", "addr":[ "216.92.14.146" ], "server":[ "2603:7000:c00:b053:ea9f:80ff:fe85:5cc5" ], "client":[ "2603:7000:c00:b053:987f:ad32:81c:e70f", "2603:7000:c00:b053:f9f2:6d70:ff9c:48d7" ] }

Database Support

The argus clients programs provide a number of programs designed to get more out of the radns.1 features. radnsdb.pl is a perl script that will take the output of radns.1 and manage a database table of the dns names and IP addresses resolved by DNS. This generates what we are referring to as 'Private Passive DNS'.

The tools can maintain two daily database schemas, one for names, and one for addresses.
The name schema is below. For each unique FQDN (fully qualified domain name ending with a dot), this schema contains strings that have start and last time referenced, the TLD, NLD, a string that lists the IPv4 and IPv6 addresses that were resolved for this address, the clients and the servers that requested and responded with this data, cname, ptr, and ns responses, etc ... seen. Users of this table query for a set FQDN, TLD or NLDs, can get quite a bit of good information.

mysql> desc dns_2024_07_20;
+--------+-----------------------+------+-----+---------+-------+
| Field  | Type                  | Null | Key | Default | Extra |
+--------+-----------------------+------+-----+---------+-------+
| name   | varchar(128)          | NO   | PRI | NULL    |       |
| tld    | varchar(64)           | YES  |     | NULL    |       |
| nld    | varchar(64)           | YES  |     | NULL    |       |
| ref    | int                   | YES  |     | NULL    |       |
| stime  | double(18,6) unsigned | YES  |     | NULL    |       |
| ltime  | double(18,6) unsigned | YES  |     | NULL    |       |
| addrs  | text                  | YES  |     | NULL    |       |
| client | text                  | YES  |     | NULL    |       |
| server | text                  | YES  |     | NULL    |       |
| cname  | text                  | YES  |     | NULL    |       |
| ptr    | text                  | YES  |     | NULL    |       |
| ns     | text                  | YES  |     | NULL    |       |
+--------+-----------------------+------+-----+---------+-------+
12 rows in set (0.00 sec)

The address schema is below. For each unique IPv4 or IPv6 addresses, the names attribute contains a JSON formatted string that contains the start and last time referenced, the authoritative, referrals, cnames, etc ... seen. Many of these fields are empty, and representing the data as JSON proved to be very beneficial for CGI Restful API use. Users of this table query for a set of IPv4 or IPv6 addresses, and should be prepared to process the JSON. Mysql has some json parsing capability, so if you're good you can really get a lot out of this schema.

mysql> desc dns_2024_07_20;
+-------+-------------+------+-----+---------+-------+
| Field | Type        | Null | Key | Default | Extra |
+-------+-------------+------+-----+---------+-------+
| addr  | varchar(64) | NO   | PRI | NULL    |       |
| names | text        | YES  |     | NULL    |       |
+-------+-------------+------+-----+---------+-------+
2 rows in set (0.00 sec)