The Domain Name System (DNS) is like a phone book that translates user-friendly names like "ussc.ru" into IP addresses. Since DNS activity is present in almost all communication sessions, regardless of the protocol. Thus, DNS logging is a valuable source of data for the information security specialist, allowing them to detect anomalies or obtain additional data about the system under investigation.
In 2004, Florian Weimer proposed a logging method called Passive DNS, which allows you to restore the history of DNS data changes with the ability to index and search, which can provide access to the following data:
- Domain name
- The IP address of the requested domain name
- Date and time of response
- Response Type
- etc.
Data for Passive DNS is collected from recursive DNS servers by built-in modules or by intercepting responses from DNS servers responsible for the zone.
Figure 1. Passive DNS (taken from the site )
The peculiarity of Passive DNS is that there is no need to register the client's IP address, which helps protect user privacy.
At the moment, there are many services that provide access to Passive DNS data:
Company
Farsight Security
VirusTotal
Risky
SafeDNS
security trails
Cisco
Access
On request
Doesn't require registration
Registration is free
On request
Doesn't require registration
On request
API
Present
Present
Present
Present
Present
Present
Customer presence
Present
Present
Present
No
No
No
Start of data collection
2010 year
2013 year
2009 year
Displays only the last 3 months
2008 year
2006 year
Table 1. Services with access to Passive DNS data
Use cases for Passive DNS
Using Passive DNS, you can build relationships between domain names, NS servers and IP addresses. This allows you to build maps of the systems under study and track changes in such a map from the first discovery to the current moment.
Passive DNS also makes it easier to detect anomalies in traffic. For example, tracking changes in NS zones and records of type A and AAAA allows you to identify malicious sites using the fast flux method, designed to hide C&C from detection and blocking. Because legitimate domain names (with the exception of those used for load balancing) won't change their IP addresses often, and most legitimate zones rarely change their NS servers.
Passive DNS, in contrast to direct enumeration of subdomains using dictionaries, allows you to find even the most exotic domain names, for example, “222qmxacaiqaaaaazibq4aaidhmbqaaa0undefined7140c0.p.hoff.ru”. It also sometimes allows you to find test (and vulnerable) areas of the website, developer materials, etc.
Examining a link from an email using Passive DNS
At the moment, spam is one of the main ways in which an attacker penetrates a victim's computer or steals confidential information. Let's try to examine the link from such an email using Passive DNS to evaluate the effectiveness of this method.
Figure 2. Spam email
The link from this letter led to the site magnit-boss.rocks, which offered to automatically collect bonuses and receive money:
Figure 3. Page hosted on the magnit-boss.rocks domain
For the study of this site was used , which already has 3 ready-made clients on , и .
First of all, we will find out the entire history of this domain name, for this we will use the command:
pt-client pdns --query magnit-boss.rocks
This command will return information about all DNS resolutions associated with this domain name.
Figure 4. Response from the Riskiq API
Let's bring the response from the API to a more visual form:
Figure 5. All entries from the response
For further research, we took the IP addresses to which this domain name had resolved at the time the letter was received on 01.08.2019/92.119.113.112/85.143.219.65, such IP addresses are the following addresses XNUMX and XNUMX.
Using the command:
pt-client pdns --query
you can get all the domain names that are associated with given IP addresses.
The IP address 92.119.113.112 has 42 unique domain names that have resolved to this IP address, among which are the following names:
- magnet-boss.club
- igrovie-automaty.me
- pro-x-audit.xyz
- zep3-www.xyz
- and etc
The IP address 85.143.219.65 has 44 unique domain names that have resolved to this IP address, among which are the following names:
- cvv2.name (website for selling credit card data)
- emaills.world
- www.mailru.space
- and etc
Connections with these domain names lead to phishing, but we believe in kind people, so let's try to get a bonus of 332 rubles? After clicking on the “YES” button, the site asks us to transfer 501.72 rubles from the card to unlock the account and sends us to the site as-torpay.info to enter data.
Figure 6. Main page of the site ac-pay2day.net
It looks like a legal site, there is an https certificate, and the main page offers to connect this payment system to your site, but, alas, all links to connect do not work. This domain name resolves to only 1 ip address - 190.115.19.74. It, in turn, has 1475 unique domain names that resolve to this IP address, including such names as:
- ac-pay2day.net
- ac-payfit.com
- as-manypay.com
- fletkass.net
- as-magicpay.com
- and etc
As we can see, Passive DNS allows you to quickly and efficiently collect data about the resource under study and even build a kind of imprint that allows you to uncover the whole scheme for stealing personal data, from its receipt to the likely place of sale.
Figure 7. Map of the system under study
Not everything is as rosy as we would like. For example, such investigations can easily break on CloudFlare or similar services. And the effectiveness of the collected database is very dependent on the number of DNS requests passing through the module for collecting Passive DNS data. Nevertheless, Passive DNS is a source of additional information for the researcher.
Author: Specialist of the Ural Center for Security Systems
Source: habr.com