DNS Traffic is always worth watching very closely
But it is not a good excuse to forget your anniversary!
While visiting a large ISP type customer here in the Bay area, we started to discuss the value he could get from network traffic analysis. The volumes of traffic on his network are at a scale that he even struggles with summary information like Netflow; he has so much of it, it is almost impossible to get a handle on it and see anything useful – a real big data problem.
During our conversation, I mentioned that we have a number of dissectors (or application decoders as we call them) for protocols like SMB, NFS, SQL, web, DNS – ’STOP, what can you tell me about my DNS traffic, as my logs are limited’. To be honest, I would have thought LANGuardian provided too much detail for his organization, but I guess DNS is a bit different.
Anyhow, I led on to explain that LANGuardian can:
- Monitor DNS traffic, decode DNS replies
- Inventory of responding DNS servers
- Alert on rogue DNS servers
- Review what resolutions clients receiving
- Monitor client requests, validate DNS traffic (piggybacking)
To quote a good friend, Tim of #lovemytool ‘John, show me, don’t tell me’
So, I simply showed a short demo, which in summary was something like the following 4 screen grabs:
Click on these images to expand!
Overall, it was a good meeting; the visibility and context one can get off the wire on DNS activity across a network can be really useful for multiple security related use cases and forensics. Our customer thought it was very interesting and useful for a network like his; especially as he is so heavily focused on security these days while helping and educating his customers.
However, when I got back to my Air-BnB and opened up my laptop, a Skype chat message popped up on my screen. Now for a moment, just think of some of the worst text or voicemail’s you could get from your wife! Let’s face it, there are only 2 big dates one should ALWAYS remember and we all know what they are!
When I looked at my Skype text box at 6:00pm PST, 2:00am GMT a day late, I saw a message there for over 8 hours, with those 3 little words we dread to hear or read before we get to send them ourselves: ‘Happy Anniversary Darling’
Damn, I blamed DNS. I told her, I tried to send a nice message but we had a DNS issue and I was off the network!
Now, even she knows that without DNS, everything stops working!
John co-founded NetFort in 2002. Under Johns direction, NetFort has continued to thrive in the network and user activity monitoring market and has built up an impressive portfolio of customers around the world.
He has extensive security and networking experience having worked as a Principal Engineer for several years with Digital Equipment Corporation in Ireland, the UK and the US. He has worked on a number of high speed network interconnect projects in the past, specializing in low-level kernel programming. John graduated from the University of Limerick with a B.Eng. Degree in Electronic Engineering (1986) and M.Eng. in Computer Systems (1994). www.netfort.com
John and NetFort's Philosophy - Full packet capture, analysis and storage enables organisations to derive unbelievable levels of insight into network and security activity from their wire data. The processing power and storage to ‘keep up’ with today’s traffic rates and store every single packet can make these network forensics type systems not affordable for many companies especially small to medium enterprises. The hardware required to store and index all the traffic for even a few days could be prohibitively expensive not to mention the technical expertise to try and interpret and understand the huge volumes of data. It is crucial to be able to see the ‘wood from the trees’ and quickly understand the data you are looking at. This session will explore the benefits of building more intelligence into the software in order to accurately identify the most common protocols and only store the most critical and important detail, the Network Metadata.