Project Report

On
DNS FORENSICS

Submitted in fulfillment for the award of

Post Graduate Diploma in IT Infrastructure InSystem &
Security (PG-DITISS)
From CDAC ACTS, E-CITY Bangalore.
Guided By:
Dr. Sanjay Adiwal

Presented By:

Aakash Hajare PRN : 220351923001

Jayveer Waghamre PRN: 220351923007
Mayank Bissa PRN: 220351923010
Neel Ghosh PRN: 220351923011
Suman Kumar PRN: 220351923017

Centre of Development of Advanced Computing

(C-DAC),
E-City Bangalore
 CERTIFICATE

TO WHOMSOEVER IT MAY CONCERN

This is to certify that
Aakash Hajare PRN : 220351923001
Jayveer Waghamre PRN: 220351923007
Mayank Bissa PRN: 220351923010
Neel Ghosh PRN: 220351923011
Suman Kumar PRN: 220351923017

Have successfully completed their project on

“DNS FORENSICS"
Under the Guidance
Of
Dr. Sanjay Adiwal
 Candidate’s Declaration

We hereby certify that the work being presented in the

report entitled DNS FORENSICS, in partial fulfillment of
the requirements for the award of PG Diploma
Certificate and submitted in the department of PG-
DITISS of the C-DAC E-CITY Bangalore, is an authentic
record of our work carried out during the period, 22th
JULY 2022 to 22th September 2022 under the
supervision of
Dr. Sanjay Adiwal, C-DAC E-CITY Bangalore. The
matter presented in the report has not been submitted
by us for the award of any degree of this or any other
Institute/University.

Aakash Hajare (PRN : 220351923001)

Jayveer Wagamare (PRN : 220351923007)

Mayank Bissa (PRN : 220351923010)

Neel Ghosh (PRN: 220351923011)

Suman Kumar (PRN: 220351923017)

 ACKNOWLEDGEMENT
The project aims to analyses DNS traffic and Logs to find anomaly
and attacks using various open source tools” was a great learning
experience for us and we are submitting this work to Advanced
Computing Training School (CDAC ACTS).
We all are very glad to mention the name of Dr. Sanjay Adiwal for
his valuable guidance to work on this project. His guidance and
support helped us to overcome various obstacles and intricacies
during the course of project work.
Our most heartfelt thanks go to Mrs. Uma Prasad (Course
Coordinator, PG- DITISS) who gave all the required support and kind
coordination to provide all the necessities like required hardware,
internet facility and extra Lab hours to complete the project and
throughout the course up to the last day here in C- DAC ACTS, E-
CITY Bangalore.
Aakash Hajare
Jayveer Waghmare
Mayank Bissa
Neel Ghosh
Suman Kumar
INDEX Page No

1. INTRODUCTION
1.1. What is DNS Forensics 8
1.2. DNS Query can Reveal 8
1.3. About The Project 9
2. Motivation 10
3. Methodology 11
4. Types of DNS Attacks
4.1. Man In The Middle Attacks 12
4.2. Denial of Service Attack (DoS) 13
4.3. Distributed Denial of Service Attack (DDoS Attack) 14
4.3.1. Types of DDoS Attacks 15
4.4. Cache Poisoning 16
4.5. NX Domain Attack 17
4.6. DNS Tunneling 18
4.7. DNS Amplification 19
4.8. DNS Reflection Attack 20
4.9. DNS Hijacking 21
5. IMPLEMENTATION
5.1. DNS Traffic analysis Using Network Forensics Tool 22
5.2. DNS Message Format 23
5.3. DNS Packet Analysis 24
5.4. Bind Logging Configuration 25
5.4.1. Configuration Of DNS Logs 25
5.5. Advantages Of DNS Logs 26
6. Analysis Using DNS Tools
6.1. PassiveDNS 27
6.2. DNSParse 31
6.3. CaptureDNS 34
6.4. DNStop 36
6.5. Elk Stack 40
7. Conclusion 42
8. Reference 42
List of Figures Page No
Figure 1: Man In The Middle Attack 12
Figure 2: Denial of service Attack (DoS) 13
Figure 3: Distributed Denail of Service Attack(DDos Attack) 14
Figure 4: Cache Poisonin 16
Figure 5: NX Domain Attack 17
Figure 6: DNS Tunneling 18
Figure 7: DNS Amplification 19
Figure 8: DNS Reflection Attack 20
Figure 9: DNS Hijacking 21
Figure 10: Traffic Analysis 22
Figure 11: DNS Message Format 23
Figure 12: DNS Packet Analysis 24
Figure 13: PassiveDNS Log status 29
Figure 14: DNS Logs (Passive) 30
Figure 15: DNS Logs (Parse) 33
Figure 16: DNS Logs (Capture) 35
Figure 17: To View the Queries 37
Figure 18: To View TLD query name 37
Figure 19: The TLD and SLD name 38
Figure 20: Showing most queries asking to records 38
Figure 21: Shows the destination IP Address 39
Figure 22: Show the source IP Address 39
Figure 23: ELK (result output-1) 40
Figure 24: ELK (result output-2) 41
Figure 25: ELK (result output-3) 41
ABSTRACT:-
In Networking Level Forensics, Domain Name Service (DNS) is a
rich source of information. This Project describes a new approach to
DNS data for forensic purposes. We purpose a new technique that
leverages semantic and natural processing tools in order to analyze
large volumes of DNS data.
Domain Name System (DNS) turns Domain names into IP
addresses, which browsers use to load internet pages. Every device
connected to the internet has its own IP address, which is used by
other devices to locate the website. DNS maintains a table where
domain names are mapped with IP addresses. While some
individuals use DNS and domain names for legitimate purposes,
Others are more interested in the shadowy aspects of the Internet,
building DDOS botnets, disseminating viruses and malware, setting
up phishing domains, sending SPAM or just starting any number of
unlawful online services.
As DNS is a core and prevalent component of the internet, it is both
a prime target for attack and a key source of information. The risks
and the benefits are therefore from the distributed/delegated nature
of the system, and its disparate implementations and standards.
This readily allows for local collections of data, and delegated
control, but also local influencing of results and sites.
Many Cyber Security experts/professionals (from both governmental
and commercial agencies) are employed to hunt down the
cybercriminals, examining numerous internet services to obtain data
and trace their movements. But even in the sphere of cyber security,
not all researchers concentrate on digital forensics analysis of DNS
and domain services and all of their data.
In this project we have to explore cyber-criminal activities done by
hackers as well as infection and activity tracking in malware traffic
analysis through DNS logs/records/traffic etc.
1.INTRODUCTION:-
1.1 What is DNS Forensics: -
DNS has an important role in how end users in an enterprise
connect to the internet. Each connection made to a domain by the
client devices is recorded in the DNS logs. Inspecting DNS traffic
between client devices and a local recursive resolver could reveal a
wealth of information for forensic analysis.
Network Forensics is a science that centers on the discovery and
retrieval of information surrounding a cybercrime within a networked
environment. Common forensic activities include the capture,
recording and analysis of events that occurred on a network in order
to establishthe source of cyber-attacks.
Network forensics can be particularly useful in cases of network
leakage, data theft or suspicious network traffic. It focuses
predominantly on the investigation and analysis of traffic in a
network that is suspected to be compromised by cybercriminals.

1.2 DNS queries can reveal: -

⦁ Botnets/Malware connecting to C&C servers.

• What websites visited by an employee.

• Which malicious and DGA domains were accessed.

• Which dynamic domains (DynDNS) accessed.

• DDOS attack detection like NXDomain, phantom

domain,random sub domain.
1.3 About The Project: -

As DNS is a core and prevalent component of the internet, it is both

a prime target for attack and a key source of information. The risks
and the benefits are therefore from the distributed/delegated nature
of the system, and its disparate implementations and standards.
This readily allows for local collections of data, and delegated
control, but also localinfluencing of results and sites.
Many Cyber Security experts/professionals (from both governmental
and commercial agencies) are employed to hunt down the
cybercriminals, examining numerous internet services to obtain data
and trace their movements. But even in the sphere of cyber security,
not all researchers concentrate on digital forensics analysis of DNS
anddomain services and all of their data.
In this project we have to explore cyber-criminal activities done by
hackers as well as infection and activity tracking in malware traffic
analysis through DNS logs/records/traffic etc.
2.Motivation for doing DNS forensics:-

Many Cyber Security experts/professionals (from both governmental

and commercial agencies) are employed to hunt down the
cybercriminals, examining numerous internet services to obtain data
and trace their movements. But even in the sphere of cyber security,
not all researchers concentrate on digital forensics analysis of DNS
and domain services and all of their data. That’s why we concentrate
on digital Forensics analysis of DNS and domain services and all
their Data.
3. Methodology for DNS Forensics: -

When problems arise, logs are an invaluable tool for troubleshooting

since they give a history of events for the operating system,
application and system. An administrator has to examine log files as
soon as Problems appears.

The /var/log directory and its subdirectories contain plain-text log

files that are used by Linux. Linux logs are available for everything,
including the system, kernel, package managers, boot processes,
Xorg, Apache, MySQL, and others. We will concentrate exclusively
on Linux system logs in this post.

The DNS logs are important for identifying and even preventing
someof the attacks listed in this project are as follows:-

 Man In The Middle Attack

 Denial of service Attack (DoS)
 Distributed Denial of Service Attack(DDos Attack)
 Cache Poisoning
 NX Domain Attack
 DNS Tunneling
 DNS Amplification
4.Types of DNS attack:-
4.1 MAN IN THE MIDDLE ATTACK

MITM attack is a popular attack, where, the attacker becomes the

medium between DNS server & Client, it spoofs the Source IP
addressof DNS Server and the client gets the wrong IP address.
Working:-
Cybercriminals place themselves in the middle of data transfers or
online conversations during MiTM attacks. The attacker easily
acquires access to the user's web browser and the data it sends and
receives during transactions through the impact of malware.

Tools used:- ArpSpoof, DNSspoof

 4.2 Denial of Service Attack (DoS Attack)

Fig-02 (Denial Of service attack)

Denial of Service (DoS) attack is a type of attack in which an

unwanted huge amount of traffic is sent to bring down the DNS
Server.

Working:-

The main goal of DoS attack is to overload the capacity of a target

system in order to deny service to new requests. By their
commonalities, the various DoS attack vectors may be categorized.

Two Types of DoS Attacks:

1. Buffer Overflow Attacks:-
This kind of attack where a memory buffer overflows can force a
computer to eat up all of its memory, hard drive space, or CPU time.
This kind of exploit frequently causes slowness, system crashes, or
other harmful server behaviors, which leads to denial-of-service.
2. Flood Attacks:-
In a flood attack, attackers transmit a large volume of traffic to a
system,preventing it from inspecting and allowing network traffic.
Tools used: Hping, LOIC
4.3 Distributed Denial of Service Attack (DDoS Attack)

5. Fig-03 (Distributed Denial of Service Attack)

Distributed Denial of Services (DDoS) attack, uses a Malware in

whichit uses multiple systems (Bots) to target a single system.

Working:-

The hacker sets up a botnet of devices. Simply said, a large network

of computers is compromised through the use of malware,
ransomware, or basic social engineering. When the hacker decides
the best time to launch an attack, all zombies in the botnet network
send queries to the target, using all of the server's available
bandwidth. These can range from basic ping queries to more
complicated assaults such as SYN flooding and UDP flooding.
Types of DDoS Attacks:-

1 Volume/Network Based Attacks: These attacks aim to consume

all of the server's available bandwidth, reducing the supply. Several
requests are made to the server, all of which require a reply,
blocking the target from responding to general users. Example -
ICMP echo requests and UDP floods.
2. Protocols based attacks: These attacks aim to exhaust the
target server's critical resources. They exhaust the load balancers
and firewalls used to protect the system against DDoS attacks.
Example - SYN floods and the ping of death.3. Application Based
Attacks: They are more complex attacks that target application and
operating system vulnerabilities. They restrict specific applications
from sending the required data to customers and consume network
bandwidth to the point of system failure. Example - HTTP Flooding.
3. Fragmentation Attacks: This type of attack includes a hacker
sending small pieces of web requests at a slower speed than usual.
Since a server must receive all pieces before going on to the next
request, being stuck with a single request's fragments consumes all
resources endlessly.
Example: ICMP Flooding.

Tools used: Hping, LOIC

4.4 Cache Poisoning:-

Fig-04 (Cache Poisoning)

Cache poisoning is a type of cyber-attack in which a hacker inserts

false information into a domain name system (DNS) cache with the
intentionof causing harm to users.
Working:-

In order to trick applications into connecting to a malicious IP

address, attackers use DNS cache poisoning attacks, which flood a
DNS resolver cache with fake addresses that correspond to
requested domain names. The resolver can provide a fake address
rather than requesting the genuine one if the attacker is successful
in overwriting the DNS cache with false information. The user may
then connect to a malicious website at the address that the cache
returned.

Tools used: - ARP Cache Poison

4.5 NX Domain Attack: -

Fig-05 (NX Domain Attack)

A NXDOMAIN attack is a kind of DNS Flood Attack in which an

excessive amount of DNS lookup requests are sent to incorrect
domain names, usually sub domains of the primary target domain.
These requests are then sent to the authoritative DNS server, which
managesthe domain name, with the goal of draining its resources so
that it cannot respond to valid queries and, as a result, make the
website or service inaccessible to users.

Working:-

NXDOMAIN attacks are carried out by sending a large number of

DNS queries for non-existent domain names. The domain names
are commonly generated at random and are unlikely to exist, such
as www.aaaa.com. These attacks are typically carried out by
botnets consisting of thousands of hacked machines located all over
the world, making this type of DNS attack difficult to spot and block.
4.6 DNS Tunneling:-

Fig-06 (DNS Tunneling)

DNS tunneling exploits the DNS protocol to tunnel malware and

other data through a client-server model. The attacker registers a
domain, such as example.com. The domain's name server points to
the attacker's server, where a tunneling malware program is
installed.

Working:-
DNS tunneling involves abuse of the underlying DNS protocol.
Instead of using DNS requests and replies to perform legitimate IP
address lookups, malware uses it to implement a command and
control channel with its handler. DNS's flexibility makes it a good
choice for data exfiltration; however, it has its limits.

Tools Used:- DNScat2, Iodine, Heyoka

4.7 DNS Amplification:-

Fig-07 (DNS Amplication)

DNS amplification is a Distributed Denial of Service (DDoS) attack in

which the attacker exploits vulnerabilities in domain name system
(DNS) servers to turn initially small queries into much larger
payloads,which are used to bring down the victim's servers.

Working-

In a DNS amplification attack, cybercriminals exploit the everyday

functioning of the Domain Name System (DNS), turning it into a
weaponthat can damage the victim’s website. The aim is to bombard
the site with fake DNS search requests, which take up network
bandwidth untilthe website fails.
Tools Used- DDoS j0lt.c DNS amplification,
4.8 DNS Reflection Attack: -

Fig-08 (DNS Reflection Attack)

A DNS Reflection Attack, also known as a DNS Amplification Attack,

is a form of a Distributed Denial of Service (DDoS) attack. In this
attack, hackers use open DNS servers to amplify their attack traffic
by up to 100 times the original source traffic performing the attack.
Working-
In a reflection attack, multiple spoofed DNS requests are sent to
open DNS servers on the Internet using a spoofed Source IP of the
targeted machine. The receiving DNS servers dutifully send the
requested response data to the spoofed source IP return address. In
this attack, attackers flood the DNS server with these altered
requests, eventually overloading the targeted machine with so many
UDP packets that it can no longer respond to legitimate queries, but
not always. UDP handling is efficient. So, it takes a lot of spoofed
connections.

Tools Used: - Ettercap

4.9 DNS Hijacking:-

Fig-09 (DNS Hijacking)

Domain Name Server (DNS) hijacking, also named DNS redirection,

is a type of DNS attack in which DNS queries are incorrectly
resolved in order to unexpectedly redirect users to malicious sites.
To perform the attack, perpetrators install malware on user
computers, take over routers, or intercept or hack DNS
communication.
Working:-
Usually, during a DNS hijacking, attackers incorrectly resolve DNS
queries sent by users and redirect them to bogus sites without the
users' notice. Afterward, the website user inadvertently proceeds to
the linked harmful website or continues using the internet on a
server that cyber attackers have compromised.
Tools Used- Dnsenum
5. IMPLIMENTION
5.1 DNS Traffic analysis Using Network ForensicsTool: -
Using Wireshark tool we capture the DNS packet, analysis the DNS
records. In this record we analysis of DNS message format for query
and response.

Fig-10 (Traffic Analysis)

5.2 DNS Message Format:-

Identification Flag
Number of question records Number of answer records
Number of authoritative records Number of additional records
Question Sections(Name type for Field Query)

Answer Sections(RRs Response for Query)

Authoritative Sections(Records for Authoritative server)

Additional Information Section

Fig-11 (DNS Message Format)

5.3 DNS Packet Analysis:-

Fig-12 (DNS Packet Analysis)

 5.4 Bind Logging Configuration:-
By default, Bind9 logs are written to the system log / var / log /
named, Bind can be also configured to store all the logs to
specific location.
The configuration is as follows.
Using the nano editor, open the main Bind9 configuration
file(Ctrl+X to leave, y/x to save or cancel changes):
5.4.1 Configuration of DNS logs: -
logging {
channel default_log {

file "/var/named/log/default" versions 3 size 20m;print-time yes;

print-category yes;

print-severity yes;

severity info;

};
channel auth_servers_log {

file "/var/named/log/auth_servers" versions 100 size 20m;

print-time yes;
print-category yes;

print-severity yes;

severity info;

};
channel dnssec_log {
file "/var/named/log/dnssec" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel zone_transfers_log {
file "/var/named/log/zone_transfers" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel queries_log {
file "/var/named/log/ queries" versions 3 size 600m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};

5.5 Advantages of DNS logs

DNS has an important role in how end users in your enterprise connect to
the Internet. Each connection made to a domain by the client devices is
recorded in the DNS logs.
Inspecting DNS traffic between client devices and local recursive resolver
we could receive information for forensics analysis.

26
6. Analysis Using DNS Tools: -
We have identified following list of tools that can be used to perform DNS
forensics and identify threats on DNS servers:
6.1 PassiveDNS
About: -
A tool to collect DNS records passively to aid Incident handling,
Network Security Monitoring (NSM) and general digital forensics.
Passive DNS sniffs traffic from an interface or reads a Pcap-file and
outputs the DNS-server answers to a log file. Passive DNS can
cache/aggregate duplicate DNS answers in-memory, limiting the amount of
data in the log file without losing the essence in the DNS answer.
With passive DNS data, you can reference past DNS record values to
uncover potential security incidents or discover malicious networks. For
example, when a DNS record changes, the previous value is not saved.
Without passive DNS, it is difficult to identify the prior DNS records for a
malicious site.

27
Installation Process in Centos 8: -
# dnf -y groupinstall "Development tools"

# dnf -y install epel-release6_64/

# dnf config-manager --set-enabled power tools

# dnf -y install libpcap*

# dnf -y install openssl openssl-devel

# dnf -y install ldns ldns-devel

# dnf -y install perl-DateTime

# git clone https://github.com/gamelinux/passivedns.git

cd passivedns/

#autoreconf –install

# ./configure

# make

# make install

# passivedns –h

Run:-

# passivedns -i ens33(Interface-name) -l fname(Any file name)

28
How to use the tool:
Typical usages:
Search for domain or IP history when working on an incident.
Example:Company has malware talking to facebook.com.
At current time, the domain is resolving to say 185.89.218.12 You search
your Flowdata and find the clients talking to that IP and remediate. You
look at the Flowdata, and you discover that the dateand time the clients first
talked to that IP, and concludes that as thetime of infection...
But using Passive DNS data, querying the domain, we get followinghistory:

Fig-13 (PassiveDNS Log stauts)

29
 Fig-14 (DNS Logs)

Use Case in Forensics: -

Say you have an indication of malicious C&C traffic going to an IP on port

80. The domain used by the alleged malware is supposed to be
cc.facebook.com. Searching you Flow data, reveals lots of clients talking to
that IP, and you might think that the whole company is pawned. A quick
search in your PassiveDNS DB shows you that the IP in question is also
hosting 300 + websites and you might even spot a website hosted on that
IP that you are familiar with and that you know lots of people in the
company would legit visit daily.
Searching your Passive DNS DB gives you no hits for the domain in
question hopefully meaning that you don’t have that malware talking to that
domain in your network.

30
6.2 Tool: -DNSParse
About: -

It is another tool for anaylsis DNS traffic, its work on analysis DNS data in
live network as well save DNS data in pacp file format. A pcap file of DNS
data is provided as input by dns parse, which outputs a comprehensive,
easily parsable, human-readable of the same data.It is useful in network
monitoring from it (send the data to Kibana ,graylags or similar).
There is most common carrying protocols are supported, as well as packet
de duplication.

Installation Process in Centos 8: -

# dnf -y groupinstall "Development tools"

# dnf -y install epel-release6_64/

# dnf config-manager --set-enabled powertools

# dnf -y install libpcap*

# dnf -y install openssl openssl-devel

# dnf -y install ldns ldns-devel

# dnf -y install perl-DateTime

// Download zip file of dns_parse from open source site and install

# wgethttps://github.com/pflarr/dns_parse/archive/refs/heads/master.zip
# gitclonehttps://github.com/pflarr/dns_parse/archive/refs/heads/master.zip
# unzip master.zip
cd dns_parse-master
# make
# make install

31
# dns_parse |more
// To see the traffic for particular dns server:-
# tcpdump -i enp0s3(Interface name) -s 65535(Total Ports) –w fname(
file name) host (dns server ip addr.)

// To read a pcap file in readable format

# dns_parse -m " " -t –r –c fname(file name)

-m = Multiline mode. Reservation records are newline
separated,the whole record ends with the separator given.

-t = Print the time/date as in Y-m-d H:M:S (ISO 8601)

format. Thetime will be in the local time zone.
-r = Changes the resource record format to:

-c = Append a list of counts for each record

type (QuestionsAnswers, etc) to record fields.

32
Output:-

Fig-15 (DNS Logs)

Each type is followed by its record type symbol.

? - Questions (No rdata is included or printed).
! - Answers
$ - Name Servers
+ - Additional

33
6.3 CaptureDNS:-
About:-

A simple tool to capture and show DNS queries. It saves DNS data in pcap
file as human readable format. It also used in Real-time analysis DNS traffic
network, it shows the domain name and its ip address, also useful in DNS
monitoring.

Installation Process on centos 8: -

# dnf -y groupinstall "Development tools"
# dnf -y install epel-release6_64/
# dnf config-manager --set-enabled powertools
# dnf -y install libpcap*
# dnf -y install openssl openssl-devel
# dnf -y install ldns ldns-devel
# dnf -y install perl-DateTime
// Download zip file from open source site and install
# wget https://github.com/lilydjwg/capture-dns.git
# git clone https://github.com/lilydjwg/capture-dns.git
# yum install cargo –y
# cargo build –release
# target/release/capture-dns ens33(interface) > fname (anyfilename)

34
Output:-

Fig-16 (DNS Logs)

35
6.4 DNStop:-
About:-

A libpcap programme called dnstop (like tcpdump) shows several tables of

DNS traffic on your network. Dnstop currently showstables of:

• Source IP addresses
• Destination IP addresses
• Query types

• Response codes
• Top level domains
• Second level domains
• Third level domains
Both IPv4 and IPv6 addresses are supported by dnstop.
Dnstop offers a variety of filters to aid in the discovery of particularly
unwanted DNS requests. Only the queries listed below will be shown by
dnstop, according to the filters:
Installing using: - Apt-get Install Dnstop

How to use the tool: -

To view Queries on your system: - Dnstop eth0

Fig-17 (To View the Queries)

36
While running dnstop, hit 1 key to view first level query names (TLDs):

Fig-18 (To view TLD query names)

Actual domain name by hinting 2 keys while running the dnstop:

Fig-19 (Show the TLD and SLD domain name)

37
 You can easily find out showing most query asking to
records (A,AAAA, PTR) by hinting t key: -

Fig-20 (showing most queries asking to

records)

Hit d to view DNS client IP address:

Fig-21 (shows the destination IP Address)

38
Hit s to view DNS source IP address:

Fig-22 (shows the dns source IP Address)

You have to save a file with something like tcpdump, and then dnstop will
read it. DNSTOP cannot save files itself.

Use it like this:

tcpdump -w dump.pcap -c
1000 port 53then you can
read that file like this dnstop -l
3 dump.pcap

39
6.5 ELK STACK
ELK is a combination of Elasticsearch, logstash and kibana.

Elasticsearch- It is a database which is used in Json format structure in

this way we setup the logstash output.
Logstash- It is the server component design to process incoming log and
feeds into elastic Search.

Kibana- Kibana is a visualization UI layer which help developer to monitor

application log.

Packetbeat- Packetbeat is a real-time network packet analyzer that you can

use with Elasticsearch to provide an application monitoring and
performance analytics system.

Filebeat-Filebeat is a lightweight shipper for forwarding and centralizing log

data. Installed as an agent on your servers, Filebeat monitors the log files
or locations that you specify, collects log events, and forwards them either
to Elasticsearch or Logstash for indexing.

Fig-23 (ELK RESULT OUTPUT-1)

40
Fig-24 (ELK RESULT OUTPUT-2)

Fig-25 (ELK RESULT OUTPUT-3)

41
7. Conclusion:-

Each of these DNS Forensics techniques advance the goal of quickly

finding and eliminating threats with best and fastest determinations
possible using unique methods of analyzing DNSdata.

8. Reference:-

Dns History - https://securitytrails.com/blog/forensic-analysis-domain- dns-

history

DNS Tunneling - https://github.com/iagox86/dnscat2

DNSparse - https://github.com/robertdavidgraham/dnsparse

CaptureDNS - https://github.com/lilydjwg/capture-dns

PassiveDNS - https://github.com/gamelinux/passivedns

DNSTop - https://github.com/verisign/dnstop/blob/master/dnstop.c

ELK stack - https://www.elastic.co/what-is/elk-stack

DNS Amplification- -
https://github.com/rodarima/lsi/blob/master/p2/dnsdrdos.c

42