On 12/02/2018 08:40, Jason Timmins wrote:
> Hi There,
> 
> Is it possible, with Shorewall or otherwise, to capture all DNS packets and
> extract the URL they are looking up?

IMHO, you're approaching an issue that is "wider" than what it seems, at first.

Shorewall can surely "filter" standard DNS query packets (UDP/53), and it
can also "act" based on their payload (to "match" for some specific
hostname to be resolved, as an example).
Actually I've been able to "stop" a not-so-complex DNS-bombing attack
toward one of my DNS, by applying something similar to this:

https://sourceforge.net/p/shorewall/mailman/shorewall-users/thread/1063501265.9331018.1380569265379.JavaMail.root%40playsrl.it/#msg31464706

And I'm also sure that you can "tune" such a technique to better suite your
needs.

_BUT_:

1) this is not 100% inline with "...extract the URL...": the "extraction"
you're referring maybe require some additional treatments. And this depends
from exact problem you're trying to solve;

2) not 100% of DNS queries are UDP/53 based and, actually, there are plenty
of DNS query types: matching _ALL_ of them by filtering the payload of
UDP/53 _AND_ TCP/53 can be really challenging.

Also, as your needs seems to be specific to your own environment:

> We’d like to use this to monitor user
> activity via our firewall.

I would suggest a different approach: a Layer-7 LOG (instead of L3). In
other words: forcing your user to refer _ONLY_ to your official internal
DNS-server (by filtering, with shorewall, outgoing UDP/53 and TCP/53) and,
then, asking such official DNS to simply _LOG_ _ALL_ the query it receives
and process.
With such a simple approach, you'll easily get _LOTS_ of details (including
"query details" and "client IP"). Details that are challenging to be
retrieved with other techniques.

If, for some reason, you cannot block access to external DNS then another
chance could be to rely on a IDS-like tool, like "bro" [1], that
succesfully support DNS activity reconstruction [2].

All the above does _NOT_ means that shorewall is "bad". Shorewall is really
great, powerfull and definitely useful. But it's a firewall. And it
provides its best when used accordingly.

HTH

Bye,
DV

P.S.: obviously, depending on the volume of the queries, you could
immediately find another _BIG_ issue: once you have 90M query _PER_DAY_,
having them written somewhere.... is quite useless. You have to properly
store, process, and visualize them....to find "issues" and/or "security
concerns". And that's a completely different story.


[1] https://www.bro.org/
[2] https://www.bro.org/sphinx/scripts/base/protocols/dns/main.bro.html


-- 
Damiano Verzulli
e-mail: dami...@verzulli.it
---
possible?ok:while(!possible){open_mindedness++}
---
"Technical people tend to fall into two categories: Specialists
and Generalists. The Specialist learns more and more about a
narrower and narrower field, until he eventually, in the limit,
knows everything about nothing. The Generalist learns less and
less about a wider and wider field, until eventually he knows
nothing about everything." - William Stucke - AfrISPA
  http://elists.isoc.org/mailman/private/pubsoft/2007-December/001935.html

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to