DNS Traffic
Last updated
Was this helpful?
Last updated
Was this helpful?
DNS Overview
DNS or Domain Name Service protocol is used to resolves names with IP addresses. Just like the other protocols, you should be familiar with DNS; however, if you're not you can refresh with the .
There are a couple of things outlined below that you should keep in the back of your mind when analyzing DNS packets.
Query-Response
DNS-Servers Only
UDP
If anyone of these is out of place then the packets should be looked at further and should be considered suspicious.
Below we can see a packet capture with multiple DNS queries and responses.
Instantly looking at the packets we can see what they are querying, this can be useful when you have many packets and need to identify suspicious or unusual traffic quickly.
DNS Traffic Overview
DNS Query:
Looking at the below query we really have two bits of information that we can use to analyze the packet. The first bit of information we can look at is where the query is originating from, in this case, it is UDP 53 which means that this packet passes that check, if it was TCP 53 then it should be considered suspicious traffic and needs to analyzed further. We can also look at what it is querying as well, this can be useful with other information to build a story of what happened.
When analyzing DNS packets you really need to understand your environment and whether or not the traffic would be considered normal within your environment.
DNS Response:
Below we see a response packet, it is similar to the query packet, but it includes an answer as well which can be used to verify the query.
Practical DNS Packet Analysis
What is being queried in packet 1?
What site is being queried in packet 26?
What is the Transaction ID for packet 26?
Now that we understand the basics of how DNS traffic looks and interacts. Download the provided PCAP or dns+icmp.pcap.gz from the . This capture only has two protocols so it is up to you whether or not you decide to filter the ICMP protocol or not.
