Show Me Your DNS Logs, I’ll Learn about You!

Profiling During the last BruCON edition (0x03), we operated our own DNS resolver. Instead of using public servers or the ones proposed by our ISP, pushing our own DNS resolver to network visitors can be really interesting. Of course, addicted to logs, I activated the “queries_log” feature of bind to log every requests performed by BruCON visitors.

Important remark: This information was collected for evidence requirements. In case of security incident, being able to find who resolved a specific hostname is priceless. The information extracted from the log file to write this blog post did not break the privacy of the BruCON visitors!

Back at home with plenty of logs , I decided to analyze the huge “queries.log” file (only the first day – for time reason). Here follow some statistics…

First, there was less queries than expected: 414687 queries were logged in the 24-hours logfile. Based on twelve hours (09:00 – 21:00), it’s only 9.5 requests/min for 600 devices (I assumed here 1.5 device per visitor – laptops, PDAs, tablets,…). It looks that more and more people use open/public DNS servers as Google or OpenDNS. That’s a first good conclusion: people do not trust the DNS provided by their ISP (in our case – BruCON). It was again proven recently with the Pirate Bay case in Belgium. On the other side, the BruCON attendees were not the “average men in the street” in terms of security.

Let’s give some numbers now:

  • 414687 queries in 24 hours
  • IPv4 / IPv6 split: 200091 “A” requests / 139617 “AAAA” requests
  • 30034 unique FQDN requested
  • 11544 unique TLD requested (xxx.yyy)

Top-10 TLD resolved:

TLD Requests
google.com 41343
twitter.com 17529
t.co 16346
g.co 10593
twimg.com 7017
google.be 6308
msftncsi.com 5394
akamai.net 5354
facebook.com 4938
apple.com 4625

(brucon.org and pwn3d.be – used by the wall of sheep – were present in the top-10 but were removed due to the close relation with the event)

What do we learn from this top-10? Google remains a killer online service provider and Twitter was used to cover the event (with lot of posted pictures). Facebook, a classic, why am I not surprised? It looks that security people are fans of Apple products but lot of them are also using Windows Vista or Seven. This is proven by the number of requests to “www.msftncsi.com“. Those are due to the “Network Connectivity Status Indicator” feature present in the latest Microsoft OS. It puts the little “earth” near the network interface icon in the tray bar.

More surprising, no trace of common URL-shorteners in the top-50! If people used mainly Twitter to post BruCON news online, api.twitter.com was the first FQDN for Twitter. People do not use the native web interface but clients (I suppose on most PDAs). Something more scary: I saw a lot of requests to big company TLD’s (no name given here). For me it means two things: people are maybe using a corporate device while attending a security conference or they connect to their corporate environment via VPN services. Some directly access resources like “owa.company.com“. Don’t do this!

Some interesting stuffs:

  • Ubuntu looks to be the preferred Linux distribution due to the huge amount of requests to ntp.ubuntu.com.
  • Gmail is a common e-mail platform but lot of people manage their emails via IMAP (imap.gmail.com).
  • ocsp.verisign.com / ocsp.thawte.com are quite well used (“Online Certificate Status Protocol“).
  • Bittorrent remains a classic tool to search for content.
  • WordPress remains a top platform for security bloggers.
  • WPAD (“Web Proxy Autodiscovery Protocol“) is a nice way to detect from where are coming your visitors. Most browsers try to resolve “wpad.company.tld” to configure their proxy settings.
  • Special mention to Peter from corelan.be, who was resolved quite often!

Something common but dangerous: typo errors! Typo-squatting still remains a valid way to catch people! So many errors.. A tip for you: bookmark the sites you visit often and access them only from your bookmarks!

Last but not least, some fun:

  • We had a fan of COBOL who visited www.opencobol.org!
  • Adult sites are everywhere (even if I found less request then expected!)

The final top-100 is composed of domains related to technology websites, social media and information gathering. Then came sites related to the “real life”: restaurants, traveling, bars, etc. This prove that people can be profiled just be inspecting their DNS traffic. Sometimes critical information is disclosed just be reading the FQDN like the applications running on the computer or the operating system.

4 comments

  1. Hello Wouter,
    When I said “Don’t do this”, I meant “in the scope of a security conference like BruCON”.
    Even if your OWA runs on top of SSL, it remain dangerous to use it. As a test, we made a SSL MitM during a few hours and… some people still accepted our rogue certificate without doubt!

  2. Some directly access resources like “owa.company.com“. Don’t do this!

    That’s just bull. OWA is perfectly capable of using SSL, and OWA is *meant* to be used remotely (if you’re on the company network, you just use Outlook. If you’re using a VPN, you can also just use Outlook. If you’re on neither, there’s OWA). Also, the name “owa” doesn’t necessarily imply you’ve got direct access to the OWA webinterface — I used to work at a place where they gave me an “owa.company.com” URL that tunneled everything through a webproxy which would filter some things out.

  3. I plead guilty for the opencobol 🙂
    One of the challenges of thf involved it (no spoiler !)

    Anyway that’s a very cool analysis. I’d find interesting to see the top50 too 🙂

    Aris

  4. Hi,
    “Ubuntu looks to be the preferred Linux distribution due to the huge amount of requests to ntp.ubuntu.com”
    maybe because there are a bunch of distro’s that don’t cause the user to do requests to the tld of the distro?
    Distro’s like Debian/Gentoo/Arch/… do ntp requests to whichever ntp servers the user configured, updates from any mirror the user configured, etc. Also note that ntp updates are fairly high in frequency, bumping the number of requests.

    Dieter

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.