This document summarizes Chris Partridge's work on scraping and analyzing DNS data to generate threat intelligence. It discusses scraping domain and DNS data at scale, analyzing it for anomalies, integrating threat intelligence, and limitations. The goal is to develop proactive threat intelligence by identifying relationships between domains, IPs, and known bad actors from DNS data and intelligence. Future work includes scaling up data collection, distributed analysis, and integrating findings into security tools.

1. Domain
Data
into
Domain
Intellige
nce
Chris “tweedge”
Partridge

2. [~] whois -h
tweedge
▪ Founder of
dnstrace.pro
▪ Third year RIT CSEC
student and BSides
regular
▪ Runs Snort on own
network
▪ Guacamole aficionado
▪ Dungeons and Dragons

3. Contents
1.Quick Refresher on
DNS
2.The Reactive Threat
Intelligence Problem
3.Scraping and
Ingesting DNS Data at
Scale
4.Anomalies, Analysis
and General Findings

4. Quick
Refreshe
r on DNS
Section 0

6. DNS Basics
https://www.facebook.c
om/login/
▪ The protocol:
https://
▪ The page: /login/
▪ FQDN:
www.facebook.com
▫ TLD: com
Registrable domain:

7. What Can it
Tell You?
A IPv4 address
AAAA IPv6 address
ANY all records
CNAME canonical name
MX mailserver
NS nameserver
TXT text
And more...

8. How Does it
Work?
DNS is a hierarchical
system.
Y
o
u
Yo
ur
DN
S
Root
DNS
.com
DNS
Facebo
ok DNS

10. The
Reactive
Threat
Intellig
ence
Problem
Section 1

11. Reactive
Security !=
Great Security
▪ Consider 100% file-
signature-based
antimalware
▫ Easy to circumvent
▫ Difficult/costly to
maintain
▫ Slow to adapt
▪ Better than nothing?
¯_( ツ )_/¯

12. “
An IP address
earns a
negative
reputation
when
Symantec
detects
suspicious
activity, such

13. “
An IP address
earns a
negative
reputation
when
Symantec
detects
suspicious
activity, such

14. “
...If the IP
addresses
change
frequently,
and if the
site has an
IP address
that was
hosting

15. “
...If the IP
addresses
change
frequently,
and if the
site has an
IP address
that was
hosting

16. ▪ Domain safety
heuristics are
available
▫ How recent the
registration was
▫ Frequent address
changes
▫ Popularity
estimates
It’s a Start

18. Relational
Learning
“To predict unforseen
or future relationships
between entities based
on past observations.”

19. Relational
Threat
Intelligence
Mal
ware
X
Interacts
with
C:UsersChri
s
Modifies
startup
settings
Loads
cryptographic
libraries
Outbound
HTTP GET
... nearly
limitless
characteristics ..
.

20. Relational
Threat
Intelligence
Doma
in X
Resolves to
certain IPsResolves to
certain other
domains
Was
registered by
_ registrar
Has certain
text records
... some other
characteristic
s ...

22. What Would We
Need?
▪ Huge quantities of
parsed domain data
▫ Some collect this
passively; we won’t
▫ Difficult to acquire
aggressively
▪ As much threat
intelligence as
possible

24. Scraping
and
Ingesting
DNS Data
at Scale
Section 2

25. Acquiring TLDs
http://data.iana.org/TL
D/tlds-alpha-by-
domain.txt
Stats:
▪ 1543 TLDs
▪ Available by HTTP
▪ Also by FTP
▪ Wow

26. Acquiring
Domains
▪ Buy access to
curated zone files
▫ ~$300/year ( ° °)╯ □ ╯ ︵
┻━┻
▪ Request access to
zone files from
registrars
▫ ICANN’s CZDS is a
good start

27. Discovering
Domains &
Subdomains
Out of
Scope
▪ Brute
force
▪ Website
crawling
▪ Search
engines &
passive
In Scope
▪ Probabilis
tic
lookups
▪ Reverse
DNS
▪ Using
DNSSEC:
NSEC and

28. Brute Force
Lookups
Recommended software:
shutdown -Ph now

29. Website
Crawling
▪ Find and follow links
▪ Complex and resource
intensive if the entire
document is rendered
for each page
▪ Requires a webserver
to be running

30. Search Engines
& Passive DNS
▪ Great for real-life
engagements, exposes
nothing about your
recon to a target
▪ Depends on external
services
Recommended software:

31. Probabilistic
Lookups
▪ Use a list of known
FQDNs and parse out
the most common
subdomains
▪ Combine with anything
you know about the
target (eg.
wordlists) to
increase

33. Reverse DNS
▪ Useful for IPv4
(dense), less useful
for IPv6 (sparse)
▪ Often results in ISP-
assigned FQDNs
▪ ...hrm.

34. DNSSEC
▪ A set of security
extensions for DNS
▪ Provides:
▫ Origin authentication
▫ Data integrity
▫ Denial of existence

36. NSEC Walks
▪ How does denial of
existence work with
DNSSEC?
▫ NS returns NSEC
response: “next secure
record”
Generally:
examp
le.com
api
ww
w
User
requests
“test”
NS
returns

38. 1624 IN NSEC
www.example.com.
A NS SOA TXT AAAA
RRSIG NSEC DNSKEY

40. NSEC3 Walks
▪ Privacy improvements in
2008 to DNSSEC,
creating NSEC3 records
by hashing adjacent
valid records
Generally:
examp
le.com
api
ww
w
User requests “test”
NS returns NSEC3
record stating:
“There is nothing between
‘71f64b...’ and ‘724611...’”

44. DNSSEC, NSEC,
NSEC3 Recap
▪ If a target has
DNSSEC enabled it’s
absolutely worth
investigating an
NSEC(3) walk
▪ NSEC scales well,
NSEC3 does not (on
CPU)
▪ NSEC5 on the way

45. Zone Transfers
(AXFR Query)
▪ Ask the nameserver
politely for all its
zone data
▪ Between 1/7 and 1/10
nameservers allow
AXFR
▪ Requires little effort
for possibly large
payout

46. North Korea
DNS Leak
Found by
mandatoryprogrammer/
TLDR
Sept. 2016, 28 domains:
airkoryo.com.kp, cooks.org.kp,
friend.com.kp, gnu.rep.kp,
kass.org.kp, kcna.kp,
kiyctc.com.kp, knic.com.kp,
koredufund.org.kp,
korelcfund.org.kp,

49. Resolving the
Domain Space
▪ The DIY solution
1.Try an AXFR (if
applicable)
2.Try an ANY query
3.Iterate through
desired query types
▪ Thread and
geographically
distribute

50. Make Use of
Open Domain
Data
Rapid7 Sonar
▪ SSL, Forward DNS, and
Reverse DNS = great
▪ Approx. 2.3 billion
data points per week
in FDNS
▪ Permits non-malicious
noncommercial use

51. Storing
Everything
▪ Decompose everything
▪ Use scalable database
engines
▫ Current setup:
Percona 5.6 with
TokuDB
▪ Compression works
wonders
▪ Indexes are your

53. Anomalie
s,
Analysis,
and
General
Findings
Section 3

54. Domain Errors
▪ a104-100-169-
118.depl1521945933
▪ sxevz.www.ae01521990
153
▪ dc-wpprod-f5
▪ nic.llc
▪ mac.sport

55. LLC Isn’t a
TLD? Sport?
▪ IANA says yes:
▪ Mozilla’s Public
Suffix List says no:

56. Here We Go!

57. Invalid Types
▪ a104-100-169-
118.depl1521945933
Type: ec2-52-39-
231 ..., reply: a
▪ dc-wpprod-f5
Type: canam.ws,
reply: a

58. IPv4 / DNS A

59. IPv6 vs IPv4

60. CNAME Mistakes
▪ http://exmail.qq.com/
login
▪ ms28789472.msv1.inval
id
▪ 6ca0fe83df737a7b1a6
003830fc47008
▪ www.tuolongledcom
▪ fdfddfdf.343sdfd.fddd

61. MX and NS
Errors

62. Achieving
Proactiv
e
Intellig
ence
Section 4

63. Adding Threat
Intelligence
▪ Ingest as many lists
as possible
▫ Phishing feeds of
URLs
▫ Domain reputation
feeds
▫ IP reputation feeds
▫ BOGONs
▪ Considering heuristics

64. Tuning Threat
Intelligence
▪ Threat intel source
reputation
▪ Threat type and
severity
▪ User bias based on
threat category

72. Limitatio
ns and
Future
Improve
ments
Section 5

73. Limitations
▪ Data is far from
complete at the
moment
▪ Threat intelligence
sources are good, not
great
▫ Response time to
emerging threats is
slow

74. Limitations

75. Future
Improvements
▪ Talk to a lawyer
▪ Scale out, cover more
geographic areas,
increase query
throughput
▫ You can help!
▪ Implement
distributed NSEC
walking, AXFRs

76. The Endgame
▪ Make dnstrace a
proactive tool for
geeks
▫ Generate firewall
configurations
▫ Generate DNS
blocklists
▪ Make dnstrace a
proactive tool for

77. Open
Discussio
n
Section 6

78. Questio
ns?
Commen
ts?

79. This is the Last
Slide-
Thank you so much for
coming to my talk!
Keep in touch via ...
Email
chris@partridge.tech
LinkedIn /in/tweedge/
GitHub? @tweedge