This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to identify any rogue dns requests using wireshark?

0

Hi, I am an administrator of a college and management is looking for a solution in order to identify if there are any rogue DNS requests to our DNS servers? I have set a packet capture for 24 hours to provide enough requests for analysis.

Thank you

asked 12 Dec '11, 08:48

staramod's gravatar image

staramod
1112
accept rate: 0%

edited 12 Dec '11, 08:56

grahamb's gravatar image

grahamb ♦
19.8k330206

What constitutes a rogue DNS request for you?

(12 Dec '11, 12:41) Jaap ♦

http://www.fbi.gov/news/stories/2011/november/malware_110911/dns-changer-malware.pdf

I am going to set the packet capture on my datacenter firewall and see if it catches any traffic to the rouge DNS servers.

Thank you all

(15 Dec '11, 09:35) staramod

So, that was a misleading question... the referenced document describes DNS changer malware that modifies the DNS settings at the clients, in order to have them access rogue DNS servers. Not clients making rogue requests to your good DNS servers. Anyway, checking the datacenter firewall for outgoing DNS traffic, while this should go through your DNS servers, is fine.

(15 Dec '11, 15:15) Jaap ♦

4 Answers:

2

By "rogue DNS requests" I assume you mean DNS requests from systems that shouldn't be using your DNS servers. If your network is 192.168.1.0/24, use a display filter something like this:

(dns) && (dns.flags.response == 0) && !(ip.src==192.168.1.0/24)

This will show all DNS queries that originate from machines that are NOT on your network.

Of course, substitute your actual subnet address and subnet mask for 192.168.1.0/24. If you have legitimate DNS requests coming from multiple subnets, the address portion of filter will be more complicated, but the principle is the same.

answered 12 Dec '11, 12:37

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Jim, Thanks for your reply. What I am looking here is a machine from my network which is sending abnormal DNS requests... May be packet size is lot bigger than normal or something that sort. And a machine which might send abnormally frequent requests to DNS server. I am trying to identify the machine that might be infected with a virus or been compromised.

Thank You Amod.

(13 Dec '11, 03:01) staramod

1

It depends on what your definition of a "rogue" DNS request is. Are looking for users querying your DNS servers without being authorized to do so? You could filter on IP ranges then - for example if all autorized users have an IP address from the network 172.16.0.0/16 you could filter on (not ip.addr==172.16.0.0/16) and (ip.addr==YourDNSServerIP and (udp.port==53 or tcp.port==53)) (substitute your network and mask). All that remain are not from your users IP range and should probably not be allowed to use the server.

If you're looking for other kinds of "rogue" DNS request you might want to specify what you're looking for, so we might be able to help.

answered 12 Dec '11, 12:40

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thank you for your reply Jasper. Please find above my comment against Jim's.

Regards, Amod

(13 Dec '11, 03:03) staramod

0

Assuming a Linux based DNS server, you should look into iptables. You can setup rules on the input chain which sort out 'larger than normal' packets and/or rate limits per host and log them. This not only allows logging of them, but also keeping them off your DNS.

answered 13 Dec '11, 04:05

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

0

Figure out what you think might constitute an "abnormal DNS request" and then filter on that. There are a lot possibilities. For packet sizes larger than normal, consider filtering on "dns && udp.lenth > somevalue" or "dns && tcp.len > somevalue" or even "dns && frame.len > somevalue" where somevalue is the number of bytes that you think is abnormally large.

Click on "Expression" to the right of the display filter input box, scroll down to DNS and take a look at all the possible filters relating to DNS.

You might consider filtering on "dns.count.queries > somevalue" Sometimes bot-infected systems will query a large number of DNS names in a single query. Similarly, you might look for DNS responses that contain a large number of answers with "dns.count.answers > somevalue, but this is not a foolproof indicator of illegitimate activity. Sites like google.com will return a large number of responses.

To find systems that are sending abnormally frequent DNS requests, filter on "(dns) && (dns.flags.response == 0)" to limit the display to DNS requests only, then click on Statistics > Conversations, and check "Limit to display filter." You can then select the tab you want (IPv4, IPv6, etc.) and sort by number of packets to see which systems are sending the most DNS requests.

answered 15 Dec '11, 13:32

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

edited 10 May '13, 08:36