Investigating DNS Events

[Michael Herr]

Scenario.

SIEM alerts on DNS traffic to "malicious IP".  The alert came from the firewall event.

build UDP connection..... 

Source IP: DNS Server

Destination IP: Malicious IP

Destination Port: 53

Reverse lookup on IP comes back as ns3.enablesit.com.

Without full packet capture, is there anyway to determine what domain was requested from a client.  The DNS server had to receive a request for a domain and then it reached out to the nameserver to get the response.  We are logging query events from clients, but if I work backwards, there is a disconnect because I don't know why the DNS server reached out to that nameserver.

I tested in a lab environment and enabled all BIND logging and couldn't figure it out.

Anyone else have any ideas how you would piece this together?

Thanks,

Mike

[Joseph Petrocelli]

What other security products are installed in the environment? There are tools that do this right? Web gateways, proxies...host firewalls and other security related browser plugins could be configured as well. Was it a browser that made the request? If it is browser history is an obvious answer but if it were another method it'd be difficult based on the softwares logging methodology and verboseness. 

v/r,

Joe Petrocelli

(703) 307-6774

--
You received this message because you are subscribed to the Google Groups "xCND" group.
To unsubscribe from this group and stop receiving emails from it, send an email to xcnd+uns...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jake Ross]

If it's a windows domain the DC would see it first. We have DNS trace logs going to ArcSight. All client dns requests are logged. https://technet.microsoft.com/en-us/library/dn800669.aspx

[Scott Atta]

If there is malware using a reverse dns bindshell there may not be a domain request from the client. it would be using the 53 port as C2 and not dns, and most likely have the IP hardcoded so no lookup necessary.  You would need a pcap to verify, assuming it's not encrypted or packed into unused frame space.

You can maybe look on the client side and grab a tool that can monitor which processes are bind to which port.  If you see something using 53 that is not normal that may be an indicator.  Also check the host file, windows will resolve from there first before asking a DC.

Scott Atta
------------------------------------
Sent from my Nexus 5x

[Michael Herr]

It's bind DNS and we are logging client requests, but the missing piece is what did the client request for the DNS to reach out the nameserver that holds the record.

The entry in the boundary firewall log is the DNS SERVER IP as source and EXTERNAL NAMESERVER as destination.  The activity is how a DNS server would work, but I want to figure out what was requested to have the DNS server do a lookup to another nameserver.  There is no where that I can see that this activity is logged. 

Web proxy won't help because the DNS server made a connection to an IP that was identified as malicious.  How can you identify the activity that caused the DNS server to do this?  There is a missing piece between the client lookup and the DNS nameserver lookup activity.  PCAP will have this info because it will show the request that the DNS server made to that IP. 

I know, I just repeated myself three times, but I tried to address all of your emails.

 

[Jake Ross]

I don't think it's C2. That request would go from the client to bad guy directly over 53.

What system generated the alert? IDS? Firewall?

[Michael Herr]

It is a reputation based alert from SIEM. It alerted on the DNS server talking to the  identified malware IP over port 53 based on a firewall event.

I am not too worried about the alert. For future investigations I want to be able to trace backwards.  Which client made a request to my DNS that made the DNS talk to the malicious IP. I think it is a valid question that is really hard to determine without full pcap.  I turned on all logging in my lab and I never once saw a log entry like this from the DNS server.

Queried nameserver.xxx.com what is the IP of jakelikesbiggirls.xxx.com

If it logged this, then I could go back and look at my query logs to see who requested jakelikesbiggirls.xxx.com and would find out that it was Joe's system who did the query.

I think we need a whiteboard and WebEX session. 

Have a good President's day weekend. I'm leaving the frigid North for sunny California.

[Mr. Jones]

Did you check the DNS server logs? Your internal DNS sever should record every request from client -> DNS -> Internet. DNS logs should show the internal IP of who requested the external connection. If the devices on the network is sync via time then you should be able to identify the host from the alert time stamp. Cross check the time of the alert with the DNS logs.

Sent from my iPhone

[Michael Herr]

Yes all client queries are logged and sent the McAfee ESM.  Haven't seen DNS server to Internet nameserver activity logged anywhere.

Time sync is too hard due to some many DNS requests. It's unreliable.

[Michael Herr]

I feel like I have stumped everyone.  No wonder we can never win the Network Forensics Packet Capture contest... .

:)

[Derek Watkins]

Are you pulling in netflow?

Sent from my iPhone. Please excuse typos and brevity.

[Michael Herr]

There is some netflow, but how will netflow address my issue?

Where's Rob?... hahaha.... 

[Joseph Petrocelli]

Fucking Nikki in the comm closet. 

v/r,

Joe Petrocelli

(703) 307-6774

[Michael Herr]

drop the mic.. I have no response.