Introduction
The Passive DNS Replication technology behind FarsightSecurity’s DNSDB collects query responses fromauthoritative DNS servers and stores the resourcerecords from those responses in a database. However,there is more value in Passive DNS than just theresource records. What isn’t in the DNS is alsosometimes interesting. With that in mind, FarsightSecurity has launched two new SIE channels: DNS Errorsand NXDOMAIN.
Error Values
Why pay attention to DNS failures?
First, let’s review. We know that a resource record in Farsight’sPassive DNS shows that:
- the owner of the domain of the resource record’sname published the resource record’s data underthat name,
- someone queried for the resource record’s name, and
- an authoritative DNS server successfully respondedwith information to complete that query.
The DNS Errors channel focuses on those query resultsfor which #3 doesn’t happen. It consists of error responsesfrom authoritative name servers (e.g.
SERVFAIL
,
REFUSED
,
NXDOMAIN
), in Farsight’s raw Passive DNS format.
The NXDOMAIN channel focuses further in on the
NXDOMAIN
errors, and reports them in a more easily consumed format.These errors occur when #1 also doesn’t happen, leavingonly #2. The NXDOMAIN report is thus a report of someone,somewhere, querying for something that doesn’t exist.
This failed query could be the result of a user mistypinga web site address, but quite often it is the result ofan automated process, such as:
- software querying a defunct provider’s servers for update
- a member of a dead botnet attempting to find its commandand control host
- a member of a not necessarily dead DGA (domain generation algorithm)botnet querying pseudorandomly-generated domains to find its command andcontrol
- a mail server, querying a dnsbl.
- software searching the DNS for configuration (e.g., usingSRV queries).
Failures in Action
A typical
NXDOMAIN
payload looks something like:
qname: gdsrr.com.
qclass: IN (1)
qtype: MX (15)
response_ip: 192.33.14.30
soa_rrname: com.
The
response_ip
is the IPv4 or IPv6 address of the authoritativenameserver, and
soa_rrname
is the name the authoritative name serverreturned in the start of authority (SOA) record, if any. The latter isincluded as a hint to determine in which DNS zone the
qname
does notexist. In the above case, the
soa_rrname
value of
com.
indicates that
gdsrr.com.
does not exist, but
com.
does.
Note, also, that the failed query was of type “MX”, indicating that someonewas attempting to send mail to that domain. Domains which appearin this manner repeatedly can, with a bit of work, make goodspamtraps.
Another more interesting form of common query failure looks like:
qname: netATLANTic.COM.MuLTI.SuRBl.ORg.
qclass: IN (1)
qtype: A (1)
response_ip: 62.58.50.220
soa_rrname: MuLTI.SuRBl.ORg.
(The odd capitalization is due to the0x20 randomization techniquefor augmenting the DNS query identity.)
The above is a failed query for the domain
netatlantic.com
in the SURBL blocklist of domains. The fact thatthe query failed indicates that:
- the
netatlantic.comdomain name was referenced in the body of an e-mail, and
netatlantic.com
- is NOT blocked by the SURBL blocklist, which is obviously good!
If you have domains or IP addresses which should not be used in e-mail,blacklist queries for these domains would be very anomalous. Even ifyour domains or IPs are expected to appear in e-mail, sudden spikesin failed dnsbl queries are also an indicator of something worthinvestigating.
Conclusion
This is just a glimpse of the information which can begleaned from DNS query failures. If you would like totake a closer look yourself, don’t hesitate to contact us today!
Chris Mikkelson is a Senior Distributed Systems Engineer for Farsight Security, Inc.
Heading
