0

I noticed a (relatively) huge amount of dns packets in my wireshark recording while only visiting plain websites. Sites like amazon, facebook, comodoca and many others are requested by dns packets. So does it make sense to use dns packets as an indicator for ALL resources (servers) that are involved when loading a website for example?

When I look at my dns packets carefully, there shouldn't be anything, that is hidden from me, right? Every domain or server that is potentially requested when visiting a website will be seen?

Wouldn't that be a good way to check if malicious code is loaded from strange (unexpaected) resources?

BeldCode
  • 13
  • 1
  • You have mentioned "plain websites" but as an example you are providing the URLs which has quite far from "plain webpage". There is lot of statistics, Contenct Delivery Network sources and/or advertisements... Directly the page behind this URLs are often just "control" page to say to browser what all have to be loaded - images (inlcuding ADS), styles, info banners (rss, marketing stuff - like "Looking for a job?" on this page :-) ). – Kamil J Feb 28 '19 at 18:35
  • @Kamil J you are absolutely right. Amazon etc have very complex websites. What I meant is that, when I access a website like the local cinema or anything, there are also dns requests for Amazon, Facebook and many more. I guess these are services or links that are made from the website (here my local cinema) to Amazon etc. – BeldCode Mar 02 '19 at 10:27

1 Answers1

0

I think this is not a good way to detect malicious load for multiple reasons :

  • A malicious code can load a resource from a server using his IP address directly (having a static address is not hard nor expensive) and will not create any DNS request
  • DNS request only show domain request, you haven't any idea of the resource loaded and the DNS will be contacted only one time by domain. So a malicious script can load a resource from a common resource provider (Google Drive) or a CDN (Amazon CloudFront) and appear as a legit load.
  • If the website is directly infected or another popular website (I already saw a malicious file hidden on the official French tax website behind a non used URL) and the malicious load is on it, you will never catch it on DNS log.
redheness
  • 216
  • 1
  • 7