DNSTraffic Pattern

What is DNS

DNS, the Domain Name System, is the Internet’s distributed database which maps the names used by users of the web -

www.yahoo.com- to the corresponding IP address.

How DNS Works1

2

3

4

5

6

7

Local DNS Cache

ISP Recursive DNS Server

Root Nameservers

TLD Nameservers

Authoritative DNS servers

Retrieve the record

Receive the answer

Facts and ConceptsDNS port is 53.

Any DNS message should have the number 53 as the port number as either Source or Destination.

Fist message sent in any DNS exchange should be query. And it should be sent to server.

The header size is 12 bytes.

Details

It receives UDP packets with port 53 as Destination portInternal DNS• If UDP source port 53 replies are seen coming form the same node back to the IP address which

sent the query, then it’s almost certain that the node is Server.

The traffic exchange should be balanced.Traffic Exchange• It’s an important characteristic of DNS traffic that if message exchange occur between two IP

address, then it should balanced,( Query should occur before the Response.

packet size must be larger than 40 bytes if DNS Q/R included.Packet size• TCP requires minimum 20 bytes for header info.• UDP header 8 bytes.• DNS header 12 bytes.

Response are not expected to be bigger than the query.Response Size• Response size is not that big because it’s only send the IP address.• It include the same domain name along with the corresponding IP address, which is 4 bytes long

Details

MethodologyCapturing • Capture all data on UDP Port 53.

Matching• Match flow to create a conversation

Conversation Type

• Determine that the conversation Is normal or imbalanced

Identification

Apply to rules to Identify DNS Server.

Thanks