SWITCH Security-Blog

SWITCH-CERT IT-Security Blog


1 Comment

Analysing DNS traffic using PacketQ

Our authoritative only name-servers are every once in a while hit by strange DNS queries. To spot anomalies we use DSC (DNS Statistic Collector), which allows exploring many details of DNS requests and responses to and from our name-servers. Usually one can already get a good sense of what has happened with DSC. However often, deep packet inspection is needed to get the full picture.

DSC Statistic showing query-type MX and ANY traffic anomalies

DSC Statistic showing query-type MX and ANY traffic anomalies

DNS traffic heading towards our authoritative only name-servers is stored for a few days in PCAP. Should we have any need to analyse some of the data we can then easily do so. Analysing very large PCAP files may sound cumbersome but thanks to PacketQ this is actually very easy and fast. PacketQ was originally developed by IIS.SE and is open source. It is a command line tool to run sql queries directly on PCAP files. It exports some IP and UDP header fields and most importantly all DNS protocol fields.

Continue reading