Jim and Kim, On Tue, Dec 6, 2016 at 6:00 PM, Jim Birch <[email protected]> wrote: > The actual DNS query and response content would not be visible at the > metadata level level, it's inside the message. The metadata says you > contacted a dns server but not what you looked up. The term "metadata" > itself is a bit ambiguous, at any layer the stuff outside the layer wrapper > is metadata and the stuff inside is content. > > As I see it, given that everything not just nefarious stuff gets encrypted, > the best method for our protector overlords to find the bad guys would be > analysing patterns in connection data. You could develop some known > bad-guy signatures and use the activity of identified targets to train the > system. Plus throw in any other profiling data you could scrounge. I > imagine this would work pretty well, given a humungous amount of storage > and processing power.
I develop the integration with Maltego to https://www.mnemonic.no/news/2015/mnemonic-offers-passive-dns-data-to-the-public/ and https://www.dnsdb.info/ TD:LR Privacy was the main driver when Paul Vixie developed Passive DNS hence it is impossible to determine who made the DNS request. https://www.farsightsecurity.com/assets/media/download/passive-dns-privacy.pdf is his supporting document. -- Regards, Christian Heinrich http://cmlh.id.au/contact _______________________________________________ Link mailing list [email protected] http://mailman.anu.edu.au/mailman/listinfo/link
