Combining seen DNS data with traffic data: Tracking traffic to domains

Markku Parviainen maketsi at gmail.com
Mon Oct 15 14:07:06 EDT 2012


Hi,

I was wondering if you could track traffic to domains instead of IPs
by combining knowledge from seen DNS traffic with IP addresses seen.
This would be much more accurate than labeling the results of reverse
lookups that often do not work. This would be useful in ratop and
racluster, as you could directly see how much of your traffic is
consumed for facebook or other famous CDN sites, or could track
requests to suspicious domains that probably are signs of malware
infection (xxcz92obzf.cn anyone?), or could map fast-flux domains
visited.

The basic concept could be implemented quite easily:

1) user does DNS request for A record of www.cdn.net
2) DNS responds that www.cdn.net has two A records: 1.1.1.1 and 2.2.2.2
3) We cache that information for later use, noting the TTL in the DNS response.
4) That same user (saddr) makes a HTTP request to 1.1.1.1 within N
seconds from that DNS request, and within the TTL
5) We can assume that the user reached that IP by using name
www.cdn.net and label the corresponding flow as being so.
6) racluster/ratop/whatnot by that label

Can this be done with existing tools?

There seem to be two problems:
- Ralabel claims that it "inserts fixed form or free form metadata
labels into argus(8)". But how exactly? Manual page or the sample
configuration file ralabel.conf does not say how to create that
ralabel.conf to insert foo=bar to flow X. It doesn't say how to view
that data later either.
- DNS requests need to be found and parsed from argus packets (could
use a simple udp and dport 53 filter).
- If the parsing is done on batches, we need to match and label flows
manually, while also maintaining that time limit referred in step 4).

I guess that if the labeling works, I could implement a batch script
for parsing the DNS data and inserting those labels into archived
flows. That doesn't help for realtime analysis though.



More information about the argus mailing list