Bind Logging and Reporting Question

[enjinn]

Is it possible to have bind log DNS lookup requests that do NOT occur from user interactive input. Example: User entering url in browser or terminal not being that significant. I am looking only to log when the system or a process is making a DNS lookup as is typical with malware that is attempting to beacon home and inserting its dns calls.

Is this a capability inherent in the system or are there any known scripts to process this kind of activity into a report?

Thanks for any discussion on this topic or friendly pointers in the correct direction.

 

[kpa]

No, there is nothing in the DNS protocol that could be used to tell apart interactive and non-interactive queries. Every query to the DNS resolver will be essentially non-interactive after it has been processed by the resolver(3) API (or equivalent in other operating systems). The details of how the query was made to the resolver are not possible to track because that would require co-operation with the application that made the query.

 

[fossette]

Looks like the resolver could have a log feature that includes the caller process id... in an optional paranoid world, i.e. activated by a configuration parameter if desired.

 

[SirDice]

Looks like the resolver could have a log feature that includes the caller process id.

How is it supposed to know this? The process runs on a different machine and the DNS requests packets don't have room to include this.

 

[kpa]

The resolver could be extended for sure but the DNS protocol is a different matter. You don't go on implementing your own protocols in a world where standards are everything.

 

[fossette]

How is it supposed to know this? The process runs on a different machine and the DNS requests packets don't have room to include this.

Oh! Sorry! I was thinking of a way to protect a computer locally. So if all computers of a cluster are doing this local resolver log surveillance, a possible malware intrusion would have better luck of being detected, thus protecting the cluster.

Dominique.

 

[kpa]

When you suggest logging capabilities such as this take a few minutes to think about how many entries the log could generate in the worst case. It can be a huge number and it's also not trivial to define meaningful filtering criteria to filter out uninteresting queries. It's also not easy to define filtering criteria to log only "suspicious" queries because you have to define the logging criteria using only very few variables on the resolver level, DNS is not a complicated system at its heart and a query made by malware looks absolutely no different from a query made by you on the command line.

 

[fossette]

In the Windows world, the original process firewall by ZoneAlarm performs this task quite nicely. But I agree that we are not in a Windows world here, especially if we avoid running processes as root as much as we can.

 

[kpa]

I was a long time zonealarm user on MS Windows and in my opinion it wasn't any good in the end. It asked you about every single connection at the beginning because it didn't know any better than you and only after it had built a substantial whitelist based on your input you could use the computer without being harassed constantly. Not a suitable solution for FreeBSD or any other comparable OS.