When DNS Says: Talk To The Hand!

A DNS Chat between Grayloggers

When DNS Says: Talk to the Hand! What? This started with a post on social media, which created a discussion among us industry professionals. The following conversation happened when I got to talk to my coworkers about some interesting things regarding DNS responses. Putting us gearheads in a room always results in an interesting comment or two!

A Topic of Blocked DNS on Social

This is an interesting post by Antonio Gabor, a Network Security Engineer. It highlights many posts on France’s decision to block OpenDNS as a direct result of a court order targeting football piracy. The response came from a French Broadcaster, Calal+. They sought to prevent access to unlicensed sports streaming sites. So, it was a bit of a “Talk to the hand!” moment.

Of course, this spawned a conversation with Drew Maranda (Solution Engineer at Graylog), Michael Wenthold (Security Architect at Graylog), and myself. It’s a candid discussion and it highlights the importance of DNS Logging and the outcomes of DNS.

The Conversation: DNS Query Responses

Jeff Darrington

Interesting Wireshark capture from a person on LinkedIn. OpenDNS was refusing queries in France because of a court order. The SDWAN service and Meraki Dashboard did not show any errors with this. They chose to sniff the traffic to see the response in DNS. Check out the payload in clear text.

DNS Query Network Capture

Drew Miranda
Heh, that is…um…interesting. I can confirm

DNS Query Output

drewmiranda@DMIRANDA-MP ~ % dig @208.67.222.222 ipregistry.co
; <<>> DiG 9.10.6 <<>> @208.67.222.222 ipregistry.co
; (1 server found)
;; global options: +cmd
;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 55298
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1410
; OPT=15: 00 10 ("..")
;; QUESTION SECTION:
;ipregistry.co. IN A
;; ADDITIONAL SECTION:
ipregistry.co. 0 IN TXT "The OpenDNS service is currently unavailable in France and some French territories due to a court order under Article L.333-10 of the French Sport Code. See https://support.opendns.com/hc/en-us"
;; Query time: 73 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Mon Sep 09 15:12:09 CEST 2024
;; MSG SIZE rcvd: 254

 

I used the command from
https://ipregistry.co/blog/opendns-no-longer-accessible-in-france
I’m not big-brained enough to understand what DNS has to do with geo-blocking. I thought that would be more of a VPN.
This is very dumb.

https://www.reddit.com/r/france/comments/1dr5855/comment/laswmca/?utm_source=share&u[…]m=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button
Arguing that its DNS redirection service allowed 27 pirate retransmission sites to be consulted.

Ipregistry Blog

Discover why OpenDNS has ceased responding to IP addresses in France since June 28, 2024. Learn about the legal implications, alternative DNS resolvers, and the broader impact on internet access and censorship. Stay informed on how to navigate these changes effectively.
Written by
Ipregistry Team
Filed under
OpenDNS, DNS Resolver, France Internet Censorship, Post
Jun 27th
Reddit

Weidz_’s comment on “La fin d’OpenDNS en France : les dessous d’un blocage qui fait parler”
Explore this conversation and more from the France community (40 kB) Blog here

Drew Miranda
I wonder if this is because it is easy to host “piracy” sites using Opendns as the DNS provider. Wouldn’t a VPN make this trivial to defeat?

Jeff Darrington
Probably, stopping non-tv subscribers from doing some fancy internet streaming?

Michael Wenthold
I was focused more on the Meraki not showing errors part. I guess refusing to provide an answer is a valid (non-error) response. Interesting from a tech policy standpoint.

OpenDNS Suspends Service in France Due to Canal+ Piracy Blocking Order * TorrentFreak
Cisco has responded to a site-blocking order obtained by Canal+ by suspending its entire OpenDNS service for the whole of France. (294 kB)
Written by Andy Maxwell
https://torrentfreak.com/opendns-suspends-service-in-france-due-to-canal-piracy-blocking-order-240629/

Drew Miranda
I guess DNS is fairly rudimentary? It asks a question and if it gets an answer, it considers that ok? One thing that stands out is the record type of the answer (TXT) doesn’t match the type of the question (A).


Jeff Darrington
Ooooo, this discussion is going exactly how I wanted it too mwaahahha haaaa

Drew Miranda
IMO this is a good case for DNS logging

Michael Wenthold
If the sites are hosted outside of France, it limits what reach they have by targeting ISPs and service providers … that’s something they can enforce.

And yes, just getting a VPN is a workaround. I’d assume the IP rights parties would like to shut those down, too, but that might be a bridge too far for the courts.

Back to the technical part. Those 0x8185 response would be interesting, but from a security perspective. I’d really be interested in a TXT response to any DNS query, or a DNS TXT request. You see them used for different benign things but it’s not common.
If I were building a security monitoring solution DNS monitoring would absolutely be one of my top priorities.

Jeff Darrington
Great chat guys!

Michael Wenthold
Anyway, I appreciate the opportunity to peep some DNS packets, been a while I had to take a refresher on the DNS response packet structure since the packet breakdown wasn’t included. The 0x8185 breaks down as this, if anyone is interested:

DNS HEX Value in DNS Answer Packet

The hex value 0x8185 in a DNS answer packet represents specific flags in the DNS response.

Here’s the breakdown:

0x8185 in binary: 1000 0001 1000 0101
Breaking this down:
0x81 (1000 0001):Z
Bit 0 (QR): 1 – This is a response (not a query).
Bits 1-4 (Opcode): 0000 – This is a standard query (QUERY).
Bit 5 (AA): 1 – The response is authoritative.
Bit 6 (TC): 0 – The message is not truncated.
Bit 7 (RD): 1 – Recursion was desired.

0x85 (1000 0101):
Bit 0 (RA): 1 – Recursion is available.
Bits 1-3 (Z): 000 – Reserved bits (must be zero).
Bits 4-7 (RCODE): 0101 – The RCODE is 5, which indicates a “Refused” error.
Meaning of RCODE 5 (Refused): This means that the DNS server refused to perform the query due to policy reasons, such as a query being disallowed or because of access control restrictions.

 


Jeff Darrington
OOO RCODE 5 is like a DEFCON 5

Michael Wenthold
RCODE 5: talk to the hand

 

 

Drew Miranda

 

 


Jeff Darrington
“Graylog Events Title:”
DNS Says: Talk to The Hand , send detection notification to email.

 

Conclusion

DNS logging has evolved from a mere network management practice into a critical component of cybersecurity and operational efficiency. Capturing both DNS queries and detailed response information is essential for securing networks, diagnosing issues, and ensuring compliance. DNS logs offer valuable insights into potential threats, allowing organizations to detect malware, phishing attempts, and DNS tunneling. They also serve as a vital tool for troubleshooting DNS failures, optimizing network performance, and maintaining historical records for forensic analysis.

When regulations surrounding data retention and privacy are becoming more strict, logging DNS response flags ensures adherence to compliance standards, providing traceability and transparency for auditing purposes.

Whether you’re safeguarding sensitive data or simply optimizing your network’s performance, detailed DNS logging is indispensable for maintaining a secure, efficient, and compliant infrastructure. Organizations that prioritize this logging practice are better equipped to protect their assets, respond to incidents, and maintain the trust of their users.

Contact Graylog for more information on your threat detection journey!

Categories

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.