# Peculiar DNS Traffic DNS traffic analysis can be challenging due to its high volume, but identifying abnormalities is crucial for detecting malicious activity. *** #### DNS Queries DNS queries allow clients to resolve domain names to IP addresses and vice versa. #### DNS Forward Queries In a forward lookup, the client resolves a domain name to an IP address, following these steps: 1. **Query Initiation**: Client queries domain, e.g., `academy.hackthebox.com`. 2. **Local Cache Check**: Checks local DNS cache; if unresolved, continues. 3. **Recursive Query**: Sends query to the configured DNS server. 4. **Root Servers**: DNS resolver queries root servers if necessary. 5. **TLD Servers**: Root server directs to TLD servers (e.g., `.com`). 6. **Authoritative Servers**: TLD server points to domain's authoritative server. 7. **Domain’s Authoritative Servers**: The resolver obtains the IP address. 8. **Response**: The IP address is sent back to the client. #### DNS Reverse Lookups/Queries Reverse lookups are used to find a domain name from an IP address: 1. **Query Initiation**: Client sends a DNS reverse query with the IP. 2. **Reverse Lookup Zones**: DNS resolver checks if it is authoritative. 3. **PTR Record Query**: Resolver searches for a PTR record. 4. **Response**: The FQDN is returned if a matching PTR is found. *** #### DNS Record Types | Record Type | Description | | ----------- | --------------------------------------------- | | A | Maps a domain name to an IPv4 address | | AAAA | Maps a domain name to an IPv6 address | | CNAME | Creates an alias for a domain | | MX | Specifies mail server for the domain | | NS | Authoritative name servers for the domain | | PTR | Used in reverse queries to map IP to a domain | | TXT | Specifies text associated with the domain | | SOA | Administrative information about the zone | #### Detecting DNS Enumeration Attempts A high volume of DNS queries from a single host may suggest DNS enumeration. Using Wireshark, filter DNS traffic as follows: ``` dns ``` If queries include `ANY`, this could indicate DNS enumeration, or even subdomain enumeration. #### Finding DNS Tunneling DNS tunneling can involve a significant number of **TXT records** from one host. Attackers may exfiltrate data by appending it to the TXT field of DNS queries. #### Example of DNS Tunneling Indicators Examine DNS traffic for unusual or unexpected text in the TXT field. Encoded or encrypted data may appear, often as base64: 1. **Extracting Base64 Encoded Data**: ``` echo 'VTBaU1EyVXhaSFprVjNocldETnNkbVJXT1cxaU0wb3pXVmhLYTFneU1XeFlNMUp2WVZoT1ptTklTbXhrU0ZJMVdETkNjMXBYUm5wYQpXREJMQ2c9PQo=' | base64 -d ``` 2. **Handling Multi-Level Encoding**: ``` echo 'encoded_string' | base64 -d | base64 -d | base64 -d ``` Some attackers may encode data multiple times or encrypt it, making detection harder. #### Reasons for DNS Tunneling 1. **Data Exfiltration**: Used to covertly export data from a network. 2. **Command and Control**: Enables compromised systems to communicate with attacker-controlled servers, often used in botnets. 3. **Firewall Bypassing**: DNS tunnels can bypass firewalls or proxies focused on HTTP/HTTPS. 4. **Domain Generation Algorithms (DGAs)**: Advanced malware uses DGAs to generate dynamic domain names, complicating detection. #### The Interplanetary File System and DNS Tunneling Advanced threat actors may use IPFS to store and retrieve malicious files, making DNS/HTTP traffic to URIs like the following noteworthy: * **IPFS Example URI**: ``` https://cloudflare-ipfs.com/ipfs/QmS6eyoGjENZTMxM7UdqBk6Z3U3TZPAVeJXdgp9VK4o1Sz ``` IPFS operates on a peer-to-peer basis, complicating detection. Regular monitoring of DNS and HTTP/HTTPS traffic is essential to mitigate these attacks.