Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Strengthen your network security with Passive DNS

Cricket Liu | Oct. 28, 2015
Collecting and analyzing Passive DNS data can help identify malicious sites and combat phishing and malware; here’s how to get started.

Over the past few years, we’ve witnessed increasing attacks against DNS infrastructure: DDoS attacks against authoritative name servers, name servers used as amplifiers in DDoS attacks, compromised registrar accounts used to modify delegation information, cache poisoning attacks, and abuse of name servers by malware. Thankfully, we’ve also seen the concurrent development of powerful new mechanisms for combating those threats, including the DNS Security Extensions, response policy zones, and response rate limiting.

Perhaps the most promising means of enhancing DNS security, and the security of the Internet generally, has yet to be fully exploited. That’s Passive DNS data.

A primer on Passive DNS

Passive DNS was invented by Florian Weimer in 2004 to combat malware. Basically, recursive name servers would log the responses they received from other name servers and replicate that logged data to a central database.

What would that logged data look like? Well, recall how recursive name servers operate. When queried, they examine their cache and authoritative data for an answer, and if the answer isn’t present, they start by querying one of the root name servers and following referrals until they identify the authoritative name servers that know the answer, then query one of those authoritative name servers to retrieve the answer. It looks something like this:

recursive name server 
Click on image to enlarge.

Most Passive DNS data is captured immediately “above” the recursive name server, as indicated here:

passive dns collection
Click on image to enlarge.

That means Passive DNS data consists largely of referrals and answers from authoritative name servers on the Internet (along with errors, of course). This data is time-stamped, deduped, and compressed, then replicated to a central database for archiving and analysis.

Note that what’s captured is server-to-server communication, not queries from your stub resolvers to the recursive name server. (Stub resolvers sit “below” the recursive name server in the diagram.) That’s important for two reasons. First, there’s significantly less server-to-server talk than between a stub resolver and a recursive name server, only cache misses. Second, the server-to-server communication can’t easily be associated with a particular stub resolver, and therefore represents much less of a privacy concern.

How the Passive DNS data is collected varies. Some recursive name servers, including Knot and Unbound, include software hooks that make it easy to capture Passive DNS data. Administrators can use a free program called dnstap to read the Passive DNS data from the name server.

Folks running other name servers may use different tools on the host running the recursive name server to monitor traffic to the name server, or they may mirror the name server’s port to another host that records the data.


1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.