Passive DNS is a nice monitoring technique to get the relationships of domains and IP addresses. With this information we can identify fast-flux botnets that constantly update DNS with very low TTL values, know where a domain name pointed to in the past, what domain names are on a given IP and so on.
I usually use pdnstool to query about a specific domain or IP as it allows me to choose multiple passive DNS databases (DNSParse, ISC, BFK, CERTEE). In the next example I query the BFK database to get information about spotsmalldor.com.
root@mordor:~# pdnstool -b spotssmalldor.com
sourceresponse_timequeryanswerrrtypettlfirstseenlastseencount
BFK0.707719847spotssmalldor.com37.153.192.72A
BFK0.707719847spotssmalldor.com42.121.84.12A
BFK0.707719847spotssmalldor.com95.87.1.19A
BFK0.707719847spotssmalldor.com111.93.115.216A
BFK0.707719847spotssmalldor.com140.116.72.75A
BFK0.707719847spotssmalldor.com223.30.27.251A
BFK0.707719847spotssmalldor.comns1.treesmustdownload.suNS
BFK0.707719847spotssmalldor.comns1.checklistsseesmics.suNS
BFK0.707719847spotssmalldor.comns1.boardsxmeta.comNS
BFK0.707719847spotssmalldor.comns1.higherpricedan.comNS
No doubt that the information provided by this technique is really valuable to identify different types of threats. But, what if we want to implement our own passive DNS? Although there are many ways to accomplish this (for example with YaF and Mediator), I would like to explain a faster method by using just the display filters of Tshark; with no need to install additional packages. Obviously, this would be a very simplified version of a real passive DNS service.
So, If you have access to a DNS server or you can do port mirroring in a modest network this can be useful:
google.com 173.194.41.1
elpais.es 91.216.63.241
upsa.es 193.146.156.50
With this filter Tshark will record the authoritative DNS responses sent to clients to know the IP/domain association of each of the DNS queries. You can check it with:
peregrino@mordor:~$ dig google.com NS +short | head -1
ns1.google.com.
peregrino@mordor:~$ dig google.com @ns1.google.com +short | head -1
173.194.41.1
To get more fields (for example the delta time) add another -e switch with the name of the field. If the traffic is high, remember that you can make use of the -b switch with the duration and files options to set up a ring buffer. This is a good way to prevent filling the entire hard disk with many pcap files.
If the DNS traffic is not very high, you can simply redirect the output to a file and then use the sort command to get a list sorted by domain.
peregrino@mordor:~$ tshark -i wlan0 -f "src port 53" -R "dns.flags.authoritative == 1" -n -T fields -e dns.qry.name -e dns.resp.addr -E occurrence=f > /tmp/domains
Capturing on wlan0
....
peregrino@mordor:~$ sort -t $'\t' -uk 1 /tmp/domains
alsa.es212.163.31.132
elpais.es91.216.63.240
google.com173.194.41.1
spotssmalldor.com140.116.72.75 <---
spotssmalldor.com223.30.27.251 <---
If you want to see more useful examples with Tshark for dealing with network security incidents take a look at Instant Traffic Analysis with Tshark How-to.