Observing DNS queries inside your LAN is a very simple way to detect security problems and/or various misconfiguration issues.
The only pre-requisite for the operator: a good knowledge of his network infrastructure and technologies. The operation can be realized with the builtin Windows features, enabling the DNS debugging (http://technet.microsoft.com/en-us/library/cc759581(v=ws.10).aspx)
I prefer
use a simple tool “NirSoft DNS Query Sniffer” available here: http://www.nirsoft.net/utils/dns_query_sniffer.html
1/ Copy and
launch it locally on your DNS server. DNS queries appear in real-time.
2/ Stop the acquisition
3/ Analyze in the GUI or export in a file
2/ Stop the acquisition
3/ Analyze in the GUI or export in a file
...easy and
simple.
Examples of use:
-
Internet Explorer configuration issue:
A request to wpad.landnssuffix indicates the use of Web ProxyAuto-Discovery Protocol by clients. Of course you can always retrieve IP adress of the requesting source in the dedicated column on the right side (not shown on screenshot) and modify the browser settings as convenient.
A request to wpad.landnssuffix indicates the use of Web ProxyAuto-Discovery Protocol by clients. Of course you can always retrieve IP adress of the requesting source in the dedicated column on the right side (not shown on screenshot) and modify the browser settings as convenient.
-
Misconfiguration of a client process:
Here we can see a double dns suffix generating an error. The client, for an unknown reason append the lan dns suffix twice.
Here we can see a double dns suffix generating an error. The client, for an unknown reason append the lan dns suffix twice.
-
Browser Addon characterization and detection
Look at the Ask toolbar in action and find the clients
Look at the Ask toolbar in action and find the clients
-
Usage of Network Connectivity Status Indicator:
A good explanation can be find here http://www.techrepublic.com/blog/data-center/what-do-microsoft-and-ncsi-have-in-common/
A good explanation can be find here http://www.techrepublic.com/blog/data-center/what-do-microsoft-and-ncsi-have-in-common/
-
CRL
checking :
And this…
Microsoft puts non-qualified domain name in some certificates. They contain the following CRL distribution point: http://corppki/crl/Microsoft Secure Server Authority.crl which probably only works inside Microsoft LANs.
-
Malware detection:
The more powerful usage according to me. Example of requests done by an infected client.
The more powerful usage according to me. Example of requests done by an infected client.
-
Other
cases:
Be aware of isolated systems that don’t have internet access and realize outside DNS requests. It can be a data exfiltration in a covert channel
(see https://blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html and http://bernardodamele.blogspot.fr/2012/06/data-retrieval-over-dns-in-sql.html )
Be aware of isolated systems that don’t have internet access and realize outside DNS requests. It can be a data exfiltration in a covert channel
(see https://blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html and http://bernardodamele.blogspot.fr/2012/06/data-retrieval-over-dns-in-sql.html )
Capturing
DNS queries is an easy way to observe your network infrastructure in action. There's a lot of stuff to do with this little tool. Thanks Nirsoft!