Hi, I am an administrator of a college and management is looking for a solution in order to identify if there are any rogue DNS requests to our DNS servers? I have set a packet capture for 24 hours to provide enough requests for analysis.
asked 12 Dec '11, 08:48
edited 12 Dec '11, 08:56
By "rogue DNS requests" I assume you mean DNS requests from systems that shouldn't be using your DNS servers. If your network is 192.168.1.0/24, use a display filter something like this:
(dns) && (dns.flags.response == 0) && !(ip.src==192.168.1.0/24)
This will show all DNS queries that originate from machines that are NOT on your network.
Of course, substitute your actual subnet address and subnet mask for 192.168.1.0/24. If you have legitimate DNS requests coming from multiple subnets, the address portion of filter will be more complicated, but the principle is the same.
answered 12 Dec '11, 12:37
It depends on what your definition of a "rogue" DNS request is. Are looking for users querying your DNS servers without being authorized to do so? You could filter on IP ranges then - for example if all autorized users have an IP address from the network 172.16.0.0/16 you could filter on (not ip.addr==172.16.0.0/16) and (ip.addr==YourDNSServerIP and (udp.port==53 or tcp.port==53)) (substitute your network and mask). All that remain are not from your users IP range and should probably not be allowed to use the server.
If you're looking for other kinds of "rogue" DNS request you might want to specify what you're looking for, so we might be able to help.
answered 12 Dec '11, 12:40
Assuming a Linux based DNS server, you should look into iptables. You can setup rules on the input chain which sort out 'larger than normal' packets and/or rate limits per host and log them. This not only allows logging of them, but also keeping them off your DNS.
answered 13 Dec '11, 04:05
Figure out what you think might constitute an "abnormal DNS request" and then filter on that. There are a lot possibilities. For packet sizes larger than normal, consider filtering on "dns && udp.lenth > somevalue" or "dns && tcp.len > somevalue" or even "dns && frame.len > somevalue" where somevalue is the number of bytes that you think is abnormally large.
Click on "Expression" to the right of the display filter input box, scroll down to DNS and take a look at all the possible filters relating to DNS.
You might consider filtering on "dns.count.queries > somevalue" Sometimes bot-infected systems will query a large number of DNS names in a single query. Similarly, you might look for DNS responses that contain a large number of answers with "dns.count.answers > somevalue, but this is not a foolproof indicator of illegitimate activity. Sites like google.com will return a large number of responses.
To find systems that are sending abnormally frequent DNS requests, filter on "(dns) && (dns.flags.response == 0)" to limit the display to DNS requests only, then click on Statistics > Conversations, and check "Limit to display filter." You can then select the tab you want (IPv4, IPv6, etc.) and sort by number of packets to see which systems are sending the most DNS requests.
answered 15 Dec '11, 13:32
edited 10 May '13, 08:36