Channel 202 - Passive DNS

Channel Manager

FSI is the Channel Manager

Description

As part of the Farsight Passive Replication Project, sensors running the sie-dns-sensor package capture DNS queries and responses (RD=0) to/from authoritative nameservers as a result of cache misses of DNS queries (RD=1) on behalf of its client base.

They utilize sie-dns-sensor scripts: * binary packages for Linux. * old source for FreeBSD Follow README instructions. * source for other platforms to upload captured data to SIE relay servers once per minute which inject make the data available on ch202 for Farsight SIE participants.

Earlier efforts utilized PCAP or NCAP capture methods for data collection. In 2010, Farsight upgraded all sensor operators to use NMSG-based PCAP capture that matched DNS requests to valid responses as part of a Passive DNS hardening project video. Those who require PCAP-based analysis can use nmsg-dnsqr2pcap (source) to regenerate PCAP data.

For more information about collection and processing details, see Robert Edmonds' Passive DNS Architecture white paper. The section "Initial message collection" is most relevant.

Data format

ISC:dnsqr

In the example below, a DNS server at WW.XX.YY.ZZ performed a DNS query for an address ("A") for "e319.g.akamaiedge.net" and received an answer from a server 209.8.112.123 less than a millisecond later. The matching DNS transaction ID was 5875. The "query" and "response" binary DNS payloads are printed in presentation format by libwdns ([http://rsfcode.isc.org/git/wdns/tree/] source) which looks similar to ISC BIND's dig(8) command terminated by "---" on a line by itself. The answer was 184.24.193.107.

A typical datagram will look like the following:

$ nmsgtool -C ch202 -o - -c 1
[248] [2012-06-12 09:27:42.466236000] [1:9 ISC dnsqr] [NMSG_ID] [] []
type: UDP_QUERY_RESPONSE
query_ip: WW.XX.YY.ZZ
response_ip: 209.8.112.123
proto: UDP (17)
query_port: 22740
response_port: 53
id: 5875
qname: e319.g.akamaiedge.net.
qclass: IN (1)
qtype: A (1)
rcode: NOERROR (0)
delay: 0.000856
udp_checksum: CORRECT

query: [50 octets]
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 5875
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;e319.g.akamaiedge.net. IN A

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:
---
response: [55 octets]
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 5875
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;e319.g.akamaiedge.net. IN A

;; ANSWER SECTION:
e319.g.akamaiedge.net. 20 IN A 184.24.193.107

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:
---

If a nameserver sends a query, but does not receive a response within a reasonable timeout, the "type" will be "UDP_UNANSWERED_QUERY" and the response_ip will be one of the nameservers from which it expected a response. The "delay" field is replaced by a "timeout" field telling how long the sensor waited. The "query" field is still available, while the "response" field is (obviously) missing.

If a nameserver receives a response for a query that it did not originate, the "type" field will be "UDP_UNSOLICITED_RESPONSE" with no "delay" nor "timeout" nor "query" field present. It may be possible to determine what the intended query was from the "QUESTION SECTION" of the response. The most likely reasons for receiving an unsolicited response is a misconfigured sensor, responses beign returns after the sensor lost track of the query (a previous timeout), or errant data, possibly a cache poisoning attempt.

Channel 202 is the only channel which has visibility into sensor data and DNS rcode information like SEVFAIL, REFUSED, FORMERR, or NXDOMAIN and flags information like "qr", "aa", or "cd". Only UDP_QUERY_RESPONSE data with a NOERROR result and "qr aa" flags makes it further into Farsight DNSDB processing (see SIE Channel 207).

Sources of Data

Several ISPs, Universities, DNS service providers, and security analysis companies run sensors for the Farsight Passive DNS Replication project. While most of the sensors operate in the United States, some operate in other geographic regions. Most of the sensors prefer to remain anonymous. Farsight runs a sensor.

Terms of Use

Farsight and other Internet service providers operate recursive caching nameservers with sensor software that collects responses to DNS queries as a result of a cache miss. All raw Data found on this channel is considered confidential and must be protected by Channel Participants. Derivative works are analysis data products derived from the raw Data where the raw Data is not in any way identifiable in the end product. Derivative works may be used by Participants as long as information identifying the participating nameservers and service providers is removed or at least anonymized.


Return to the SIE Channel Guide
Main