What’s in a Domain Name? That which we call a CNAME by any other AAAA record would still be used by malware to steal your data. This article introduces the Gravwell CoreDNS Kit, which provides dashboards, queries, and other resources to help you quickly analyze data from a CoreDNS instance using the Gravwell CoreDNS plugin.
In this article we’ll walk through deploying the kit, explore the DNS overview dashboard, and drill down into several features of the CoreDNS Kit.
The Domain Name System (DNS) is a global naming system for internet connected resources. It provides a mapping from human readable hostnames to a variety of other forms (such as other hostnames, IP addresses, and other data points).
DNS is widely abused by malware and network attackers to facilitate (and sometimes directly perform) data exfiltration, command and control for botnets, and other malicious activities. For this reason, introspecting on DNS data is a first-line activity for network operators.
Gravwell can ingest any kind of DNS logs, raw data, and more, and directly supports CoreDNS, a widely used DNS server by providing a CoreDNS Plugin. CoreDNS is a flexible, extensible DNS server. CoreDNS provides a plugin framework to allow tools, such as Gravwell, to write plugins that can perform transformations and introspection on CoreDNS queries and responses.
For more information on deploying CoreDNS with the Gravwell Plugin, see our CoreDNS blog post.
For the rest of this article, we’ll focus on the CoreDNS Kit dashboards, actions you can take directly from the kit, and other drill-down features such as the Client Investigation and Domain Name investigation dashboards.
If you’re following along with your own copy of Gravwell (Get started with a Free Trial of the software!), this article assumes you already have CoreDNS built with the Gravwell Plugin. If not, check out the CoreDNS blog post.
Gravwell and CoreDNS communicate via a CoreDNS plugin. As you resolve names with CoreDNS, the plugin logs requests and responses in JSON format to Gravwell. A typical response entry in Gravwell looks like this:
{
"TS": "2020-09-10T15:25:50.341006414-06:00",
"Proto": "udp",
"Local": "[::]:53",
"Remote": "192.168.1.100:53385",
"Question": {
"Hdr": {
"Name": "docs.gravwell.io.",
"Rrtype": 1,
"Class": 1,
"Ttl": 240,
"Rdlength": 4
},
"A": "35.197.69.233"
}
}
In the entry JSON above, we have a detailed timestamp, requester IP, domain name (docs.gravwell.io), and an “A” record, among other data points.
Installing the CoreDNS Kit is simple thanks to Gravwell’s Kit explorer, which allows you to browse publicly available kits and download/install them in just a few clicks. The Kit explorer even tells you when updates to kits are available.
To install the CoreDNS Kit, simply open the Gravwell menu -> Kits -> Manage Kits, and then click on the CoreDNS Kit. The installer will ask you a few questions, such as what tag your DNS data is in (the default is “dns”, and this needs to match the tag you specified in your CoreDNS configuration). The CoreDNS Kit requires another kit, the Network Enrichment Kit, and Gravwell will automatically download and install it as a dependency.
You might be surprised at how much DNS data can be generated by just a few hosts - my home network, with my various smart devices and other computers, generates about 21,000 DNS questions and responses per day. Fortunately, Gravwell’s data ingest and indexing performance (Gravwell even has JSON-specific index acceleration which works great with CoreDNS logs!), means we can leverage this volume of data to extract trends, find related information, and even detect “beaconing” name resolutions (a common malware behavior).
We’ll start with the CoreDNS Overview dashboard, which (after installing the kit) appears in your list of dashboards. The overview dashboard shows high-level information about your DNS data, including query statistics, requests by hosts, common and uncommon requests, and the mix of request types. The default time window is the last 24 hours, and that can be changed by selecting the calendar icon in the top right corner. Below we have a week-long view of my home DNS data.
Looking at the overview, we can clearly see in the “DNS Over Time” chart the peaks of usage during the day, and we also see domains such as apple.com, netflix.com, etc., as the most common Second-Level-Domains (SLDs), as we’d expect. Interestingly, we see “2.android.pool.ntp.org” as the top hit for “DNS Beaconing”, which indicates that that particular Android device is checking in with a time server almost exactly every 24 hours. DNS Beaconing is a measure of repeated queries with the smallest temporal variation, so we would expect queries like NTP and software update checks to appear near the top of that list. Malware also tends to periodically check in with command and control servers, so DNS Beaconing is an excellent first order indicator of malicious activity on your network.
Adjusting the timescale reveals interesting patterns that you may not normally see in the 24-hour view, so be sure to check larger timescales as your dataset grows.
You may have noticed that domains in the CoreDNS Overview dashboard (as well as any other place where domain names are present) are hyperlinked. The CoreDNS Kit provides actionables to provide drill-down links to other dashboards, as well as external links to enrich information about a given domain.
When you click on a domain, you’ll be presented with a number of actions that can be taken on that domain. In the example above, we clicked on “gateay.icloud.com”, which gives us two menus - Actionables for “icloud.com” (the SLD), and Actionables for “gateway.icloud.com” (the full domain we clicked on. The options are different in each menu. In the “icloud.com” menu, we have the option to drill down into the DNS Domain Investigation Dashboard (more on that later), search for related domains, or perform a WHOIS on this domain. The WHOIS link simply launches a new window to whois.com, as shown below.
The CoreDNS Kit also provides actionables to drill down on clients (hosts that are making requests on your network), and domains (the requests being made). Let’s go back to our overview dashboard - by clicking on any domain (apple.com in this example), we can select the “DNS Domain Investigation Dashboard”, which will launch a new dashboard pointed at “apple.com”.
The Domain Investigation Dashboard shows us information about this domain, such as related subdomains (related CNAMES that resolve to this domain, and A/AAAA records), and a list of clients querying this domain. From here we can further drill-down by selecting related domains and loading their Domain Investigation Dashboards, or selecting a particular client to see what other data that client has been querying. Let’s drill-down on the client “192.168.3.100” and open the DNS Client Investigation Dashboard.
The Client Investigation dashboard shows similar information to the Overview, but is focused to a single client. Again, from here we can drill-down into domains this client has requested, adjust timeframes, and look for related queries.
In this article we’ve highlighted the Gravwell CoreDNS Kit, which enables you to quickly get to a complete DNS analysis capability with nothing more than a few clicks. If you're ready to learn more about how Gravwell can power rock-solid decisions through unlimited analytics, get started with a Free Trial or request a demo of our data fusion platform.
Thanks!