Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Detecting Queries to "odd" DNS Servers - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Detecting Queries to "odd" DNS Servers

Usually, your operating system will be assigned a DNS server either via DHCP (or RAs in IPv6) or statically. The resolver library on a typical workstation will then go forward and pass all DNS lookups to this set of DNS servers. However, malware sometimes tries to use its own DNS servers, and blocking outbound port 53 traffic (udp and tcp) can help identify these hosts.

Brent, one of our readers, does just that and keeps finding infected machines that way. Just now, he is investigating a system that attempted to connect to the following name servers:

101.226.4.6
114.114.114.114
114.114.115.115
123.125.81.6
140.207.198.6
202.97.224.69
211.98.2.4
218.30.118.6
14.33.133.189

He has not identified the malware behind this yet, but no other system he is using ("we are running bluecoat web filter AND we're using OpenDNS AND I'm running snort"). Brent uses oak (http://ktools.org/oak/) to help him watch his logs and alert him of issues like this.

According to the Farsight Security passive DNS database, these IPs resolve to a number of "interesting" hostnames. I am just showing a few here (the full list is too long)

ns-facebook-[number]-[number].irl-dns.info   <- the [number] part appears to be a random number
*.v9dns.com    <- '*' to indicate various host names in this domain.
v2.3322pay.com
bjcgsm.com
sf5100.com
 


------------------
Johannes B. Ullrich, Ph.D.

SANS Technology Institute
Twitter

Defending Web Applications Security Essentials - SANS Security West 2019

Johannes

3395 Posts
ISC Handler
Eight out of nine of those IP addresses are in the PRC. Using any of them as DNS servers (whether or not they are actual DNS servers, and no matter where the DNS client is in the world) will invoke poisoned responses from the GFW cache poisoning machine for some very popular sites such as YouTube, Facebook, Twitter, etc. So likely no user invoking that traffic from an infected box. Try it yourself. What IP address do you get for facebook when using one of those DNS servers?

C:\Users\me>nslookup
Default Server: google-public-dns-a.google.com
Address: 8.8.8.8

> server 101.226.4.6
Default Server: [101.226.4.6]
Address: 101.226.4.6

> facebook.com
Server: [101.226.4.6]
Address: 101.226.4.6

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
Non-authoritative answer:
Name: facebook.com
Addresses: 59.24.3.173
59.24.3.173
Anonymous
All these IPs are registered in China. May be, there are just some users with its own DNS for bypassing the chinese internet restrictions?
Anonymous
It may be worth doing a packet capture to confirm whether the traffic on port 53 is actually legitimate DNS traffic, or perhaps a botnet C&C channel just trying to use port 53 to avoid proxies that might filter 80/443 traffic.
Anonymous
Quoting Anonymous:It may be worth doing a packet capture to confirm whether the traffic on port 53 is actually legitimate DNS traffic, or perhaps a botnet C&C channel just trying to use port 53 to avoid proxies that might filter 80/443 traffic.


Yup! When I first set up the log-watching rules, I didn't have any snort sensors or any span ports yet. But one of these days real soon now, I'll turn this into a custom snort rule so I can see full packet payloads...
Brent

109 Posts
Most of the concern about DNS is some form of redirection abuse or server compromise. But another interesting use of DNS is to send encoded messages. Assuming you have control of the DNS server, you can receive these encoded messages as simple DNS queries. By encoding the message in the hostname of your domain name, you can send yourself covert messages - spp-nboz-tfdsfut.example.net (ROT1). Setting the server to log all queries permits you to receive and store the contents of messages sent from any Internet connected host.
Brent
2 Posts

Sign Up for Free or Log In to start participating in the conversation!