Little Snitch - Capturing traffic of a specific process

While investigating a bit of oddity with the Skype app on Mac OS X, I wanted to capture all traffic from only the Skype processes. But first, a little background on the issue. All DNS traffic from my systems is routed through a WireGuard tunnel. The peer endpoint at the other end runs a recursive resolver with DNS Response Policy Zones (DNS RPZ). https://twitter.com/pswapneel/status/1490219842674503680 The issue is - that as soon as the WireGuard tunnel is disabled, Skype will try connecting to Google DNS(8.

Shodan geoping and geodns -Quickly check ping and DNS resolution across multiple locations

Measuring ping and DNS from different vantage points using RIPE Atlas has been something that I have been using for some time now. A few weeks ago, I came across Shodan’s geoping and geodns API, which provides ping and DNS lookup from a few locations and other details such as RTT. This is great because you can quickly check ping and DNS resolution on systems where you only have curl running.

The curious case of esic.in DNS

A couple of weeks ago, at my $dayjob, we implemented a recursive resolver with RPZ in an enterprise network. After a few days, the customer got back to us with an issue - the DNS resolution of the domain esic.in failed with an NXDOMAIN response. After a cursory look at the problem, it became evident that esic.in resolved correctly but www.esic.in did not. The customer also reported that if they switched the resolver to 8.

APNIC 52 - Threat Hunting using DNS

I presented on how we at my $dayjob do Threat Hunting using DNS at APNIC 52. This is the same presentation I gave at SANOG 37, but luckily, I had the full quota of 20 minutes to complete the presentation without rushing into it. Here is the video of the presentation, https://youtu.be/C1JZfAcl0Os?t=2656 Happy hunting!

sdns://2021 - Hyperlocal root and LocalRoot

Image Source: sdns2021.dnscrypt.info I had the opportunity to present on Hyperlocal root and the LocalRoot project at sdns://2021 last week I’ve written and presented about Hyperlocal root aka RFC 8806 in the past. In the context of privacy, Hyperlocal root does provide a possible solution to the problem, Prevent snooping by third parties of requests sent to DNS root servers RFC8806 Aside from that, faster negative responses to non-existent domains eliminates junk to the root

SANOG 37 - Threat Hunting using DNS

PC: Mohan Thomas At SANOG 37, I had the opportunity to share some of the ways in which we have been doing Threat Hunting using DNS at my $dayjob. Here is the video of the presentation. https://youtu.be/S3IuZgt61pA?t=9667 I also had a little demo but I decided to improvise and add slides instead, since the program was running a little behind schedule and I was the only one standing between everyone and their lunch.

Jio VoWiFi issue - It's always DNS!

tl;dr If Jio VoWiFi isn’t working for you, set a different DNS resolver on the phone. While I am a big proponent of running your own resolver in the network, ( runyourownresolver.in ) , you could test by using open resolvers. The issue doesn’t seem to be impacting everyone and only a subset of users. To begin with, there are multiple things broken in the authoritative name servers ns1.vowifi.jio.com. and ns2.

DNS RPZ (Response Policy Zones) - Using DNS as a layer of defence - Part I

Update (06/08/2020) - APNIC has published this post on their blog. Robbie Mitchell from APNIC was of great help in correcting a few things and polishing the article. You can read the Part 1 on the APNIC blog here DNS(Domain Name System) is the crucial & ubiquitous fabric of the Internet.¬†While on the surface, users rely on accessing websites, apps, email etc underneath it’s the DNS database which provides the map for the Internet.

Chromium based browsers & DNS

While this is not something new, it perhaps has more significance because of the ever increasing market share of more than 60% of Chromium based browsers. Chromium based browsers have a very uncanny method to check if the web browser is sitting behind a captive portal. And if you’re running a recursive resolver in your network with a large user base running Chromium based browsers (Google Chrome, Brave etc), it might even startle you if you observe the recursive resolver logs.

33,384 open DNS resolvers in India

The Shadowserver Foundation releases and updates a scan report containing results for open resolvers on the Internet. Open resolvers basically respond to any a DNS queries from anyone on the Internet. Open resolvers are bad for the Internet primarily because they are a catalyst in a DNS amplification attack. A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS), in which attackers use publicly accessible open DNS servers to flood a target system with DNS response traffic.