DNS Anomalies Detection and Analyzation via Unicorn [Tested]

Why Analyze DNS?

Domain Name System (DNS) converts hostnames to IP addresses and plays a crucial role in the infrastructure of the Internet. In this experiment, we will closely examine the details of DNS anomalies on the client side.

From the perspective of a DNS client, the role is relatively straightforward — the client sends a request to its local DNS server and receives a response. Much of the communication between DNS hierarchical servers happens recursively or iteratively to resolve the client’s DNS queries, with most operations being invisible to the client. However, from the DNS client’s viewpoint, the protocol is quite simple — it directs queries to the local DNS server and receives responses from that server.

How to Detect DNS Anomalies

Since we primarily use the DNS protocol, we will utilize the nslookup command.

Step 1. nslookup

The nslookup tool allows a host to query DNS records of any specified DNS server. To accomplish this task, nslookup sends a DNS query to the specified DNS server, receives a DNS reply, and displays the results.

DNS Anomalies

The command’s response provides two pieces of information:

  • The name and IP address of the DNS server responding.
  • The response itself, which includes the hostname and IP address of www.baidu.com.

Second command:

This command with the option -type=NS and the domain name baidu.com first displays the DNS servers responding (defaulting to the local DNS server) and three DNS servers for baidu.com. However, nslookup also indicates that this response is non-authoritative, meaning it comes from a server’s cache.

Third command:

This command directs the query to the DNS server dns.baidu.com instead of the default DNS server (public1.114dns.com/114.114.114.114). Thus, the query and response transaction occurs directly between our host and dns.baidu.com. In this example, the IP address of the host www.baidu.com is directly provided by the DNS server dns.baidu.com.

We also learned that DNS records are cached. To clear the cache, the command ipconfig /flushdns is used.

Step 2. Track DNS Anomalies via Unicorn

Prepare as follows:

  • Clear DNS cache in the host using ipconfig /flushdns.
  • Open the browser and clear the browser cache.
  • Open Unicorn and Enable DNS filtering so that Unicorn will only capture DNS packets.

Step 3. Use HTTP

Visit www.vaidu.com to view a DNS packet:

It’s observed that DNS query packets are sent over UDP. The source port number of the query packet is a random port, while the destination port number is 53. The response packet is the reverse.

The destination IP address of the query packet is 114.114.114.114. The specific contents of the DNS query packet are as follows:

The Type field is A (value is 1), indicating it queries a host’s IP address. The Class field is IN (value is 1), indicating Internet addresses. The DNS response packet’s specific contents are as follows:

Three Answers are included, with the second one analyzed:

  • www.baidu.com: type A, class IN, addr 39.156.66.14
    • Name: www.baidu.com (domain name queried)
    • Type: A (Host Address)
    • Class: IN
    • Time to live: 37(37 second)
    • Data length: 4
    • Address: 39.156.66.14 (IP address provided in response)

The value of the Name is www.a.shifen.com, indicating that the DNS request’s domain name is www.a.shifen.com. The type is A, signifying that it is requesting the IP address corresponding to that domain name. The value of the Address shows the IP address corresponding to that domain name.

Step 4. Use nslookup

Clear the host’s DNS cache using ipconfig /flushdns.

Start Unicorn capture, then use the command nslookup www.baidu.com in the command line. The results are similar to those above, but with the destination IP address now the default local DNS server’s IP address (114.114.114.114). When querying using nslookup www.baidu.com dns.baidu.com, the results show the destination IP address as 110.242.68.134, indicating it did not query the default local DNS server.

Click to rate this post!
[Total: 0 Average: 0]