dns

Ngrep: quick peek at http traffic

Table of Contents Quick peek Sorts out unique User-Agent (devices) Monitor the occurrence of the keywords Monitor HTTP GET | POST traffic by IP addresses DNS Quick peek Monitor activities on device eth0 port 80: -W byline: linefeeds (LF) are printed as linefeeds, more readable. -qt: quiet mode and print human-readable timestamp. # ngrep -d eth0 -W byline -qt port 80 Sorts out unique User-Agent (devices) In corporate environment, desktop/laptop OS build is often standardized.

Encrypting DNS Traffic

Table of Contents DNSCrypt Install Select a resolver Modify resolv.conf Start systemd service Verify the DNS traffic is encrypted DNSCrypt can be used to increase web browsing privacy and thwart DNS traffic sniffing. It enables encryption and authentication on DNS traffic between the local computer and the remote DNS resolver. It helps to mask the domain resolution (sent in clear text) to the DNS server, before the HTTPS connection initiated to the target website.

DNS resolution benchmark

Table of Contents dig & grep namebench dig & grep A straightforward way is by using the dig util from the dnsutils package and grep the results. This works well for quick debug on-the-go: # apt-get install dnsutils $ dig @202.188.0.132 archive.org | grep "Query time:" ;; Query time: 356 msec $ dig @8.8.8.8 archive.org | grep "Query time:" ;; Query time: 48 msec Note: 202.

Tracing Malicious Network Traffic

Table of Contents Nettop Google Transparency Report: Safe Browsing Tool Netstat Flowtop Nettop Assuming an unknown/suspicious output (i.e., no chat client is being used, but random chat domain appeared: vmp.boldchat.com) is spotted from a DNS monitoring such as in previous post titled - Sniff DNS queries: Under macOS, the nettop util provides list of sockets and routes in details that help to trace down the process that established the connection to the unknown domain:

Sniff DNS Queries

Table of Contents Dnstop Tcpdump Wireshark / Tshark Dnstop is a console libpcap application that displays various tables of DNS traffic on a network including: Source IP addresses Destination IP addresses Query types Top level domains Second level domains # dnstop enp0s3 -l 3 Use ctrl-r to reset the counter/refresh the history to get the latest queries. Tcpdump Capture packets from port 53 (DNS):