Tracking Domains w/o Blowing Up Your SIEM
Posted on October 5th, 2016
A common practice in SOCs is to periodically resolve known hostile domains to identify changes in adversarial infrastructure. There are a variety of approaches to help you track hostile infrastructure but your mileage may vary. If your monitoring capabilities are tuned to look for specific domains, you may end up adding a significant number of unnecessary alerts to your SIEM. If your organization actively poisons specific DNS requests, you may just change your code to point to 22.214.171.124. Unfortunately, that approach still lets an eavesdropper see what domains you are actively resolving.
Recently, Google began offering a DNSSEC-validating resolution over an encrypted HTTPS connection to mitigate some privacy and security concerns. Essentially, you can submit domains over a secure channel and let Google do the resolution for you! The API is clean and very responsive. To help us and hopefully others track infrastructure in a secure manner, we created a simple Python client to interface with the DNS-over-HTTPS API. The code is publicly available at https://github.com/wglodek/dns-over-https.
>>> from dns_over_https import SecureDNS >>> r = SecureDNS() >>> r.gethostbyname('www.breakpoint-labs.com') u'126.96.36.199' >>> r = SecureDNS(query_type='AAAA') >>> r.gethostbyname('www.google.com') u'2607:f8b0:400d:c02::6a' >>> r.resolve('www.mit.edu') [u'2001:590:100b:182::255e', u'2001:590:100b:18b::255e'] >>>
The code turns security and privacy on by default by: 1) padding each request with a random string to minimize the probability of a side-channel attack being successful, and 2) automatically to not send any part of your IP address to the authoritative name servers.
There is a drop in replacement for Python’s `socket.gethostbyname` to turn your plaintext DNS queries into secure requests where you can have a higher degree of confidence that no one is messing with the response!