[CONTACT]

[ABOUT]

[POLICY]

DNS is fundamental to how the

Found at: gopher.blog.benjojo.co.uk:70/ISPs-sharing-DNS-query-data

 The ISPs sharing your DNS query data
 ===
 DNS is fundamental to how the web works, and for most of
the population it's completely transparent. Everything on the web
is accessed by a DNS name.

November 1987 in fact

 Since DNS is an old protocol (November 1987 in fact) the
protocol was built in a time where encryption was not viewed as a
necessary thing. This is not to be confused with DNSSEC, whose
purpose is to validate that a DNS response has not been tampered
with.
 Because queries are not encrypted in DNS, they are visible
to the network devices between you and the resolver, and even
if they were, in almost all cases people use external
resolvers either locally in their network (normally a DNS query cache
that passes on misses to a ISP DNS resolver) or an external
one (see 8.8.8.8 / 9.9.9.9 / 1.1.1.1 and other catchy IP
addresses)
 A lot of "threat intelligence" relies on DNS data for
research, so security teams inside of companies often log DNS queries
so they can track down incidents later on.
 However to make this data meaningful, researchers need data
from real systems in the wild. This is where they turn to
larger companies who have data feeds from large resolvers silently
logging queries that pass through them.

DNS Diagram

 DNS Diagram
 This means that downstream customers' data is sent away to
3rd party sources, who often charge to have researchers access
the data.
 So what ISP's are doing this? How can we find that out?
 You just ask every open DNS resolver a query that is tied
to the ISP itself! After all, the IPv4 internet is only 3.5~
million routable addresses!
 So over ~18 hours my server send 50,000 DNS packets per
second to random internet hosts.

RRDTool graph of bandwidth

 RRDTool graph of bandwidth

ASN ((URL:http://en.wikipedia.org/wiki/Autonomous_system_(Internet:0/URL:http://en.wikipedia.org/wiki/Autonomous_system_(Internet HTML))

 To make this setup work, I bought a new domain name for
this experiment and for every single ASN) generated a specific
DNS query for that ISP. On the sending side I discarded any
responses and only listened to queries that made it back to my
domains DNS nameservers:

DNS Diagram 2

 DNS Diagram 2
 The idea is that a lot of these resolvers I am hitting
are actually just caches that upstream to their local ISP
resolver. From the results of the inbound query I can see what
ISP’s use what ISPs to send the lookups to my nameserver, using
the results of the inbound query. A query sent to a home ISP
that results in a nameserver query arriving from Google would
suggest that 8.8.8.8 is in use, a query arriving from cloudflare
would suggest 1.1.1.1, or a query arriving from the ISP itself
would suggest it's the ISPs local infrastructure looking up the
query.
 In addition, we can look up on the open platforms to see
what subdomains were harvested:

A DNS harvester lookup

 A DNS harvester lookup
 There doesn't seem to be a direct link between these ASN's
and their resolvers (other than google, who is unlikely to be
only selling a very small % of their queries)
 There is another interesting phenomena. Even when scanning
was finished, I was still getting queries as if I was still
sending packets to some ISPs. I've come to call these "zombie
queries"
 Here is an example:
 I sent 2 million queries to Telenet in Belgium, and got
416 queries to my name servers back. However after scanning I
got 4 queries from a South African ISP:
 ```
 2018-06-20 05:27:15 IP 197.96.129.180.51587 > 45.76.133.249.53:
32906 [1au] A? a-6848.4uqu.party. (46)
 2018-06-20 05:28:51 IP 197.96.129.180.39401 > 45.76.133.249.53:
20872 [1au] ANY? a-6848.4uqu.party. (46)
 2018-06-20 05:28:51 IP 197.96.129.180.35844 > 45.76.133.249.53:
2062 [1au] ANY? a-6848.4uqu.party. (46)
 2018-06-20 05:28:52 IP 197.96.129.180.60279 > 45.76.133.249.53:
14686 [1au] ANY? a-6848.4uqu.party. (46)
 ```
 This is especially curious, since the last 3 of those
queries are for a different DNS type. So something has to have
processed the query sent to Telenet in Belgium and decided to poke
at my subdomain more.
 This does not 100% mean that Telenet has sold data to a
3rd party that then re-queried me in South Africa, it could
have been a customer with a config that pointed to another
upstream DNS provider that sold it.
 You can explore below the data I have gathered, You can
enter ISP names or the AS number:
 
Enter a AS number in the
format of "ASXXX" or just freetype a name

Search:
type="text" id="blogsearch">

ISP Name:
None
Please enter a query
id="resolvers">

Resolvers:

ASPersentage Raw
Number

Zombie resolvers:

style="width:100%">            AS        Raw
Number            
 
 You can find the tools I wrote for this over at:
https://github.com/benjojo/dns-spies

Twitter

RSS

 If you enjoyed this you can follow my Twitter or RSS to
keep up with the other silly (or sometimes sensible) things I
will do!
 Until next time!



			
			
AD:

Love Odd Nugget? Join the club!