[dns-operations] ISC SIE, channel 3

Paul Vixie paul at vix.com
Tue Feb 5 05:21:00 UTC 2008 

i wrote:

> ....  i'm a big boy, i knew when i set up rbl.maps.vix.com in 1997 that it
> was a lifetime commitment, i can take the heat.  (i just like to complain.)

what an inspiration this was.  today we (ISC) added a channel (think "vlan")
to SIE (our Security Information Exchange) for queries received by authority
servers (the only other channel so far is responses received from authority
servers by recursive caching servers), and i made the maps.vix.com nameserver
into a passive dns sensor.  here's how it looks for ISC SIE subscribers who
have access to channel 3:

#sie-qa1.sql1:amd64# ncaptool -l 169.254.3.255/7433 -g - -m -c 5
[60] 2008-02-05 04:36:05.033154000 [00000000 8354338f] \
        [64.62.206.10].32768 [192.83.249.98].53 \
        dns QUERY,NOERROR,20342,cd \
        1 206.253.191.71.rbl.maps.vix.com,IN,TXT 0 0 \
        1 .,CLASS4096,TYPE41,32768,[0]
[61] 2008-02-05 04:36:05.033466000 [00000000 8354338f] \
        [194.246.101.39].34170 [192.83.249.98].53 \
        dns QUERY,NOERROR,2678,cd \
        1 215.127.250.201.rbl.maps.vix.com,IN,TXT 0 0 \
        1 .,CLASS2048,TYPE41,0,[0]
[60] 2008-02-05 04:36:05.033936000 [00000000 8354338f] \
        [81.109.162.29].32769 [192.83.249.98].53 \
        dns QUERY,NOERROR,42427,cd \
        1 201.63.202.211.rbl.maps.vix.com,IN,A 0 0 \
        1 .,CLASS2048,TYPE41,0,[0]
[47] 2008-02-05 04:36:05.036245000 [00000000 8354338f] \
        [207.218.192.64].25756 [192.83.249.98].53 \
        dns QUERY,NOERROR,3131 \
        1 6.102.182.59.rbl.maps.vix.com,IN,ANY 0 0 0
[50] 2008-02-05 04:36:05.040737000 [00000000 8354338f] \
        [12.172.248.67].48988 [192.83.249.98].53 \
        dns QUERY,NOERROR,8354 \
        1 204.239.189.208.rbl.maps.vix.com,IN,TXT 0 0 0

i shall now go about the interesting task of trying to get other authority
servers operators to start sending their query data.  more of the value of
passive dns (as invented by florian weimar) is in the authority response
data received at recursive caching nameservers as a result of a forwarded
query that caused a cache miss... but that doesn't mean useful study, and
even security benefits, can't be had by sharing query data received by the
authority nameservers themselves.

from the above, for example, it's possible to learn that the following five
addresses probably initiated smtp transactions "very recently", and could
be legit or could be bots: 71.191.253.206, 201.250.127.215, 211.202.63.201,
59.182.102.6, and 208.189.239.204.  we also know that the mailservers whose
recursive nameservers' upstream query addresses are 64.62.206.10,
194.246.101.39, 81.109.162.29, 207.218.192.64, and 12.172.248.67 are not
well maintained (since they are using a DNS RBL that hasn't worked since
1999 or so.)  i knew there was a use for query data in SIE, i just didn't
see it until after i whined about maps.vix.com still getting (lots of)
queries.

it's important to note that while i'm willing to share a 5-packet dump in
public like this, the actual subscriptions to ISC SIE are vetted and there
is no way that darksiders can get continuous access to our feeds.  so if
worries about publicity or leaks are keeping anyone from running a passive
dns sensor, remember, the above data was received at my personal server,
and that's why i feel safe using it in public like this.

More information about the dns-operations mailing list