© AT&T Inc Detection of DNS Traffic Anomalies Anestis Karasaridis, PhD,CISSP.
Understanding DNS Traffic Pattern
Click here to load reader
-
Upload
mr-cracker -
Category
Technology
-
view
21 -
download
2
Transcript of Understanding DNS Traffic Pattern
DNSTraffic Pattern
What is DNS
DNS, the Domain Name System, is the Internet’s distributed database which maps the names used by users of the web -
www.yahoo.com- to the corresponding IP address.
How DNS Works1
2
3
4
5
6
7
Local DNS Cache
ISP Recursive DNS Server
Root Nameservers
TLD Nameservers
Authoritative DNS servers
Retrieve the record
Receive the answer
Facts and ConceptsDNS port is 53.
Any DNS message should have the number 53 as the port number as either Source or Destination.
Fist message sent in any DNS exchange should be query. And it should be sent to server.
The header size is 12 bytes.
Details
It receives UDP packets with port 53 as Destination portInternal DNS• If UDP source port 53 replies are seen coming form the same node back to the IP address which
sent the query, then it’s almost certain that the node is Server.
The traffic exchange should be balanced.Traffic Exchange• It’s an important characteristic of DNS traffic that if message exchange occur between two IP
address, then it should balanced,( Query should occur before the Response.
packet size must be larger than 40 bytes if DNS Q/R included.Packet size• TCP requires minimum 20 bytes for header info.• UDP header 8 bytes.• DNS header 12 bytes.
Response are not expected to be bigger than the query.Response Size• Response size is not that big because it’s only send the IP address.• It include the same domain name along with the corresponding IP address, which is 4 bytes long
Details
MethodologyCapturing • Capture all data on UDP Port 53.
Matching• Match flow to create a conversation
Conversation Type
• Determine that the conversation Is normal or imbalanced
Identification
Apply to rules to Identify DNS Server.
Thanks