My own private NSA

From: Dan Lyke 
------------------------------------------------------
Short version: I wanna snoop on DNS traffic on my network, and I want
a little auditing to reassure myself about what sort of traffic the
devices on my network are generating.

Background: Alan, Charlene's developmentally disabled brother is
staying with us, and we got him a $79 Android 4.1 tablet+keyboard
combination off of Nomorerack.com for Christmas. If, 20 years ago,
you'd have told me that I could buy a multi-core GHZ+ device with that
resolution 3d accelerated for $80, I would have called it unbelievable
science fiction.

I'm sitting in my cube this afternoon and one of the ops guys walks
over and says "our malware DNS page just got the most interesting
delisting request from your home IP address..."

Indeed. The de-listing request form got a couple of "overseas
pharmacy" and "cheap auto insurance" HTML and BBCode posts from, from
a user agent of

  "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0"

I call home, Charlene disavows running Windows. I log in to the Unifi
controller and don't see any Windows machines on the wireless net.

So I haven't had too much chance to debug yet, but I suspect that this
is coming from Alan's tablet.

What I would like to do is to run a logging DNS proxy on the home
server, and, probably put the DHCP server on that machine as well.

Anyone got experience with the right way to do this? I could easily
whip up a Perl DNS proxy, and probably just install isc-dhcp-server,
but if someone's got some experience with this that'd be awesome.


Thanks!

Dan

=============================================================== From: wes ------------------------------------------------------ Several years ago I was helping a company recover from a server failure that resulted in the total loss of all internal DNS records. I pieced together a bunch of the easy stuff, but little things were popping up left and right, often in the context of "I have been struggling with this for ## days." So I hit upon the genius idea of monitoring DNS requests so I could proactively fix records that needed it. Long story short, it didn't work. ISC bind (at that time at least) did not offer the functionality to report which hostname was requested in the event of a failure. I asked the ISC guys myself and they said "why would you ever want to do that?" The only way to do it would have been piecing packets together via tcpdump, and it wasn't worth the effort. Hopefully things have changed. -wes

=============================================================== From: Dan Lyke ------------------------------------------------------ Gah! I could totally see uses for that! So two additional realizations: 1. The Perl solution needs to be a little more complex because single-threaded DNS proxies suck (Yes, 2-Wire, I said it). 2. It'd be really nice if that proxy could redirect some names to internal machines... I need to replace the drive in my home server soon, I should probably just bite the bullet and install the stock Ubuntu options. Groan. Dan

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Caching DNS server for the home network? Bonus points for dynamic DNS updates from your DHCP server to support your local network domain? BIND can log the queries to syslog, separate file or stderr. Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSvjOMAAoJEMP+wtEOVbcdcCQH/iH9+fOIcvQ6l3Zqhdk0U1A8 tEDlVtbg3kNA1EVLNGROUUrxSPrh1uWO/wnkcVw1Qc6NSeSoWLgPfYLHajRHPVHc Vnm578GzR3B5eOKv8bSW164TUUIBVhgu0zOyYEGTtlAM8kQFnj59W73Hy2e8tfFd u806k6VcaVXtVIFN4RTKmrN4Oim4fBf3r1WTXTXrEWqW7o44yyocgfw5JdFkudrn Dnjxq89LjkptnIkRGAZFIa+xdm19nCrUfcRv4Rn9vkdYT/Al2TcAUysmedbkviKj F2l92tx8VX+lQWVKWTQE6b87fbnPPxi+e3jC88jRSbo7EovBwCQ3ytQ534qoCww= =u08V -----END PGP SIGNATURE-----

=============================================================== From: Rod ------------------------------------------------------ If it is a server go debian. Ubuntu has changed their stock images and for some reason have powersave on a the damn server version. One day I will dig the tech files and figure out how turn that off, but not today. Apparmor and SElinux are both available on debian. Rod

=============================================================== From: Matt Keys ------------------------------------------------------ I'd suggest http://www.ntop.org/ ...also installs seamlessly into pfsense 2.x.

=============================================================== From: cluon ------------------------------------------------------ Rm9yIHF1aWNrIGRvd24gYW5kIGRpcnR5Li4uIGlwdHJhZiB3aXRoIGEgbmljIGluIHByb21pc2N1 b3VzIG1vZGUgaXMgdXNlZnVsIGZvciBzZWVpbmcgRE5TIGFuZCBvdGhlciB0cmFmZmljLCBidXQg TlRPUCByb2Nrcy7CoAoKClNlbnQgdmlhIHRoZSBTYW1zdW5nIEdhbGF4eSBOb3Rlwq4gMywgYW4g QVQmVCA0RyBMVEUgc21hcnRwaG9uZQoKLS0tLS0tLS0gT3JpZ2luYWwgbWVzc2FnZSAtLS0tLS0t LQpGcm9tOiBEYW4gTHlrZSA8ZGFubHlrZUBmbHV0dGVyYnkuY29tPiAKRGF0ZToxMi8yNy8yMDEz ICA2OjIwIFBNICAoR01ULTA1OjAwKSAKVG86IENIVUdBTFVHIDxjaHVnYWx1Z0BjaHVnYWx1Zy5v cmc+IApTdWJqZWN0OiBbQ2h1Z2FsdWddIE15IG93biBwcml2YXRlIE5TQSAKClNob3J0IHZlcnNp b246IEkgd2FubmEgc25vb3Agb24gRE5TIHRyYWZmaWMgb24gbXkgbmV0d29yaywgYW5kIEkgd2Fu dAphIGxpdHRsZSBhdWRpdGluZyB0byByZWFzc3VyZSBteXNlbGYgYWJvdXQgd2hhdCBzb3J0IG9m IHRyYWZmaWMgdGhlCmRldmljZXMgb24gbXkgbmV0d29yayBhcmUgZ2VuZXJhdGluZy4KCkJhY2tn cm91bmQ6IEFsYW4sIENoYXJsZW5lJ3MgZGV2ZWxvcG1lbnRhbGx5IGRpc2FibGVkIGJyb3RoZXIg aXMKc3RheWluZyB3aXRoIHVzLCBhbmQgd2UgZ290IGhpbSBhICQ3OSBBbmRyb2lkIDQuMSB0YWJs ZXQra2V5Ym9hcmQKY29tYmluYXRpb24gb2ZmIG9mIE5vbW9yZXJhY2suY29tIGZvciBDaHJpc3Rt YXMuIElmLCAyMCB5ZWFycyBhZ28sCnlvdSdkIGhhdmUgdG9sZCBtZSB0aGF0IEkgY291bGQgYnV5 IGEgbXVsdGktY29yZSBHSForIGRldmljZSB3aXRoIHRoYXQKcmVzb2x1dGlvbiAzZCBhY2NlbGVy YXRlZCBmb3IgJDgwLCBJIHdvdWxkIGhhdmUgY2FsbGVkIGl0IHVuYmVsaWV2YWJsZQpzY2llbmNl IGZpY3Rpb24uCgpJJ20gc2l0dGluZyBpbiBteSBjdWJlIHRoaXMgYWZ0ZXJub29uIGFuZCBvbmUg b2YgdGhlIG9wcyBndXlzIHdhbGtzCm92ZXIgYW5kIHNheXMgIm91ciBtYWx3YXJlIEROUyBwYWdl IGp1c3QgZ290IHRoZSBtb3N0IGludGVyZXN0aW5nCmRlbGlzdGluZyByZXF1ZXN0IGZyb20geW91 ciBob21lIElQIGFkZHJlc3MuLi4iCgpJbmRlZWQuIFRoZSBkZS1saXN0aW5nIHJlcXVlc3QgZm9y bSBnb3QgYSBjb3VwbGUgb2YgIm92ZXJzZWFzCnBoYXJtYWN5IiBhbmQgImNoZWFwIGF1dG8gaW5z dXJhbmNlIiBIVE1MIGFuZCBCQkNvZGUgcG9zdHMgZnJvbSwgZnJvbQphIHVzZXIgYWdlbnQgb2YK CsKgICJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFdPVzY0OyBydjoxOS4wKSBHZWNrby8y MDEwMDEwMSBGaXJlZm94LzE5LjAiCgpJIGNhbGwgaG9tZSwgQ2hhcmxlbmUgZGlzYXZvd3MgcnVu bmluZyBXaW5kb3dzLiBJIGxvZyBpbiB0byB0aGUgVW5pZmkKY29udHJvbGxlciBhbmQgZG9uJ3Qg c2VlIGFueSBXaW5kb3dzIG1hY2hpbmVzIG9uIHRoZSB3aXJlbGVzcyBuZXQuCgpTbyBJIGhhdmVu J3QgaGFkIHRvbyBtdWNoIGNoYW5jZSB0byBkZWJ1ZyB5ZXQsIGJ1dCBJIHN1c3BlY3QgdGhhdCB0 aGlzCmlzIGNvbWluZyBmcm9tIEFsYW4ncyB0YWJsZXQuCgpXaGF0IEkgd291bGQgbGlrZSB0byBk byBpcyB0byBydW4gYSBsb2dnaW5nIEROUyBwcm94eSBvbiB0aGUgaG9tZQpzZXJ2ZXIsIGFuZCwg cHJvYmFibHkgcHV0IHRoZSBESENQIHNlcnZlciBvbiB0aGF0IG1hY2hpbmUgYXMgd2VsbC4KCkFu eW9uZSBnb3QgZXhwZXJpZW5jZSB3aXRoIHRoZSByaWdodCB3YXkgdG8gZG8gdGhpcz8gSSBjb3Vs ZCBlYXNpbHkKd2hpcCB1cCBhIFBlcmwgRE5TIHByb3h5LCBhbmQgcHJvYmFibHkganVzdCBpbnN0 YWxsIGlzYy1kaGNwLXNlcnZlciwKYnV0IGlmIHNvbWVvbmUncyBnb3Qgc29tZSBleHBlcmllbmNl IHdpdGggdGhpcyB0aGF0J2QgYmUgYXdlc29tZS4KCgpUaGFua3MhCgpEYW4KX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KQ2h1Z2FsdWcgbWFpbGluZyBsaXN0 CkNodWdhbHVnQGNodWdhbHVnLm9yZwpodHRwOi8vY2h1Z2FsdWcub3JnL2NnaS1iaW4vbWFpbG1h bi9saXN0aW5mby9jaHVnYWx1Zwo=

=============================================================== From: Benjamin Stewart ------------------------------------------------------ Dnsmasq is nice. It has an integrated dhcp server which updates local dns records, and checks your hosts file before querying upstream. I haven't messed with its logging, though.

=============================================================== From: Christopher Rimondi ------------------------------------------------------ I use Bro http://bro.org/ on my home network. It logs many things, DNS queries are one of them. Easiest way to stand it up is using the Security Onion linux distro. You can use normal bash commands to grep through the Bro logs. If you are into tinkering, and if you are on this list chances are you are, you can tweak Bro to add fields, like geoip information if you pull down a database such as one from MaxMind to correlate against. I have an open source search platform called ELSA ingest my Bro logs. Cool things you can do are run queries like 'class:bro

=============================================================== From: Chad Smith ------------------------------------------------------ Is Bro open source, because I'd really like to see the Bro Code. LEGEND.....wait for it...... DARY! *- Chad W. Smith*

=============================================================== From: flushy@flushy.net ------------------------------------------------------ Quoting Dan Lyke : non blocking IO is pretty sweet. I wrote a proof of concept openssl port blaster using non-blocking io, and I could generate over 1000 concurrent connections per second with about a 20% load -- single threaded. If I upped the sleep time or made altered where the sleep was in the loop check, I could get the load down to 5%. --b