Show Me Your DNS Logs, I’ll Learn about You!

Profiling During the last BruCON edition (0x03), we operated our own DNS resolver. Instead of using public servers or the ones proposed by our ISP, pushing our own DNS resolver to network visitors can be really interesting. Of course, addicted to logs, I activated the “queries_log” feature of bind to log every requests performed by BruCON visitors.

Important remark: This information was collected for evidence requirements. In case of security incident, being able to find who resolved a specific hostname is priceless. The information extracted from the log file to write this blog post did not break the privacy of the BruCON visitors!

Back at home with plenty of logs , I decided to analyze the huge “queries.log” file (only the first day – for time reason). Here follow some statistics…

First, there was less queries than expected: 414687 queries were logged in the 24-hours logfile. Based on twelve hours (09:00 – 21:00), it’s only 9.5 requests/min for 600 devices (I assumed here 1.5 device per visitor – laptops, PDAs, tablets,…). It looks that more and more people use open/public DNS servers as Google or OpenDNS. That’s a first good conclusion: people do not trust the DNS provided by their ISP (in our case – BruCON). It was again proven recently with the Pirate Bay case in Belgium. On the other side, the BruCON attendees were not the “average men in the street” in terms of security.

Let’s give some numbers now:

  • 414687 queries in 24 hours
  • IPv4 / IPv6 split: 200091 “A” requests / 139617 “AAAA” requests
  • 30034 unique FQDN requested
  • 11544 unique TLD requested (xxx.yyy)

Top-10 TLD resolved:

TLD Requests
google.com 41343
twitter.com 17529
t.co 16346
g.co 10593
twimg.com 7017
google.be 6308
msftncsi.com 5394
akamai.net 5354
facebook.com 4938
apple.com 4625

(brucon.org and pwn3d.be – used by the wall of sheep – were present in the top-10 but were removed due to the close relation with the event)

What do we learn from this top-10? Google remains a killer online service provider and Twitter was used to cover the event (with lot of posted pictures). Facebook, a classic, why am I not surprised? It looks that security people are fans of Apple products but lot of them are also using Windows Vista or Seven. This is proven by the number of requests to “www.msftncsi.com“. Those are due to the “Network Connectivity Status Indicator” feature present in the latest Microsoft OS. It puts the little “earth” near the network interface icon in the tray bar.

More surprising, no trace of common URL-shorteners in the top-50! If people used mainly Twitter to post BruCON news online, api.twitter.com was the first FQDN for Twitter. People do not use the native web interface but clients (I suppose on most PDAs). Something more scary: I saw a lot of requests to big company TLD’s (no name given here). For me it means two things: people are maybe using a corporate device while attending a security conference or they connect to their corporate environment via VPN services. Some directly access resources like “owa.company.com“. Don’t do this!

Some interesting stuffs:

  • Ubuntu looks to be the preferred Linux distribution due to the huge amount of requests to ntp.ubuntu.com.
  • Gmail is a common e-mail platform but lot of people manage their emails via IMAP (imap.gmail.com).
  • ocsp.verisign.com / ocsp.thawte.com are quite well used (“Online Certificate Status Protocol“).
  • Bittorrent remains a classic tool to search for content.
  • WordPress remains a top platform for security bloggers.
  • WPAD (“Web Proxy Autodiscovery Protocol“) is a nice way to detect from where are coming your visitors. Most browsers try to resolve “wpad.company.tld” to configure their proxy settings.
  • Special mention to Peter from corelan.be, who was resolved quite often!

Something common but dangerous: typo errors! Typo-squatting still remains a valid way to catch people! So many errors.. A tip for you: bookmark the sites you visit often and access them only from your bookmarks!

Last but not least, some fun:

  • We had a fan of COBOL who visited www.opencobol.org!
  • Adult sites are everywhere (even if I found less request then expected!)

The final top-100 is composed of domains related to technology websites, social media and information gathering. Then came sites related to the “real life”: restaurants, traveling, bars, etc. This prove that people can be profiled just be inspecting their DNS traffic. Sometimes critical information is disclosed just be reading the FQDN like the applications running on the computer or the operating system.

Post Navigation