SIE Passive DNS and the ISC DNS Database

Presented at DEF CON 18 (2010), July 30, 2010, 10 a.m. (50 minutes)

Passive DNS replication is a technique invented by Florian Weimer for tracking changes to the domain name system. This session will introduce the problems faced by passive DNS replication in the areas of collection, analysis, and storage of DNS data at scale, and will introduce state-of-the-art solutions to these problems developed at ISC SIE. Components of SIE's passive DNS architecture will be showcased, including a specialized DNS capture tool, a tool for processing and deduplicating raw DNS message data, and the storage engine used to archive and index processed data. A bulk HTTP query API and web interface to the storage engine will also be demonstrated and made available.

Presenters:

• Paul Vixie - President, Internet Software Consortium & Chairman, ARIN.
  Paul Vixie has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. Early in his career, he developed and introduced sends, proxynet, rtty, cron and other lesser-known tools. Paul is considered the primary modern author and technical architect of BINDv8 the Berkeley Internet Name Daemon Version 8, the open source reference implementation of the Domain Name System (DNS). Paul Vixie founded ISC in 1994. In his role as President, Paul ensures that ISC stays true to his original mission of developing and maintaining production quality open source reference implementations of core Internet protocols, such as BIND and DHCP, and evolving those standards. In 1995, Paul co-founded PAIX (Palo Alto Internet Exchange), which was sold to AboveNet in 1999, who in turn named Paul its Chief Technology Officer in 2000, and then President of the PAIX subsidiary in 2001. Paul also co-founded MAPS (Mail Abuse Prevention System), a California nonprofit company established in 1998 with the goal of stopping the Internet's email system from being abused by spammers. Along with Frederick Avolio, Paul co-wrote "Sendmail: Theory and Practice" (Digital Press, 1995). He has authored or co-authored more than a dozen RFCs, mostly on DNS and related topics. He is a member of ICANN RSSAC and ICANN DNSSAC, ARIN and a frequent participant in IETF and NANOG.
• Robert Edmonds - Internet Software Consortium
  Robert Edmonds is a research engineer at Internet Systems Consortium where he works on the Security Information Exchange project. He is responsible for maintaining the SIE infrastructure and developing the interchange formats and library code used within SIE. Before coming to ISC, Robert earned his BS in Computer Science at the Georgia Institute of Technology where he spent four years as an undergraduate research assistant at the Georgia Tech Information Security Center.

Links:

• https://defcon.org/html/defcon-18/dc-18-speakers.html#Vixie
• https://infocon.org/cons/DEF CON/DEF CON 18/DEF CON 18 video and slides/DEF CON 18 - Robert Edmonds and Paul Vixie - Passive DNS Hardening - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=Q_fb9Yj9G64

Similar Presentations:

• DeepSec 2018 „I like to mov &6974,%bx“ / DNS Exfiltration and Out-of-Band Attacks
• Black Hat USA 2010 / SIE Passive DNS and the ISC DNS Database
• Black Hat USA 2010 / ISC SIE Passive DNS vs. Apache Cassandra