[dnstap] dnstap use case assistance
Kyle Fiducia
mail at kfiducia.com
Fri May 12 19:21:38 UTC 2017
There aren't a lot of folks using dnstap from whom to ask for help, so
I am hoping you folks can help educate me!
Use Case (Threat Detection & Response):
If a packet gets flagged for malicious content, it is flagged by
source IP: lets say "1.2.3.4"
We investigate by asking "how did the user get to 1.2.3.4?" -
Generally this is by DNS reference (evil-host.tld), which is what
brought me to dnstap.
With dnstap/unbound doing all the dns resolutions on the network I
attempt to cross references the resolutions that yield 1.2.3.4 back to
domain names to help trace the source of the potential compromise
(perhaps this domain name is included in an email or something).
But the logs I am seeing coming out of DNS tap reference the
responding authoritative server. So it mentions "evil-host.tld" but
gives the authoritative nameserver IP address that responded with the
A record, not the contents of the A record, so 1.2.3.4 is not present
in my logs.
Realizing I may be using dnstap in a fashion it wasn't intended, I
hope someone can steer me towards a more viable solution to improve my
Incident Response capability, it seems this is well within the
wheelhouse of such a useful tool, perhaps I am just missing something.
Thank you in advance for any time and attention you can offer.
Best,
Kyle
My current dnstap config (trying to get as much as I could out of it
to ensure I wasn't missing something):
dnstap:
dnstap-enable: yes
dnstap-socket-path: "/var/run/unbound/dnstap.sock"
dnstap-send-identity: yes
dnstap-send-version: yes
dnstap-log-client-query-messages: yes
dnstap-log-client-response-messages: yes
dnstap-log-resolver-query-messages: yes
dnstap-log-resolver-response-messages: yes
dnstap-log-forwarder-query-messages: yes
dnstap-log-forwarder-response-messages: yes
More information about the dnstap
mailing list