Ask Your Question
0

What protocols do hosts use to perform host-name to IP address resolution

asked 2021-01-08 12:29:46 +0000

Stuart Kendrick gravatar image

I am puzzled by how a client is finding the IP address to use when its browser loads a Web page

Typically, I see the client perform an A Record look-up, receive back a A Record response, then send a TCP SYN to the IP address specified in the A Record response, whereupon it loads the home page of this site using TCP/HTTP
http://www.skendric.com/dns/www-corne...

However, while analyzing an issue, I notice that the client receives back an A Record response (23.193.130.71) which it doesn't use (happens to be an Akamai host) ... instead, it sends a TCP SYN to some other host (another Akamai IP address: 23.74.131.109), which is uses to load the home page of this site. No where prior to this TCP SYN do I see 23.74.131.109 (Find Packet... Packet Details... String 23.74.131.109). So I wonder: from where did the client learn this IP address?
http://www.skendric.com/dns/www-ibm-c...

In another example, I see similar behavior ... although I notice as well prescience: the client sends the A Record look-up and before receiving the response emits a TCP SYN to an Akamai host (23.62.159.145). Again, no where prior to this TCP SYN do I see 23.61.159.145)
http://www.skendric.com/dns/www-apple...

Now, the fact that in the first example, the client speaks directly to a box owned by the site (www.cornell.edu in this case) doesn't surprise me -- this enterprise hosts their own Web server. The fact that the client speaks to Akamai for www.ibm.com and www.apple.com doesn't surprise me: big sites, apparently they outsource content caching to Akamai.

But what surprises me is that the DNS exchange seems not to inform the address used in the TCP/HTTP session. And particularly what surprises me: where does the client get the Akamai IP address it uses for the TCP/HTTP session?

What am I missing? This seems basic ... but apparently, there is something basic which I'm not considering.

Mechanics
- Host runs Windows 10
- Pcaps taken via an in-line analyzer (ProfiShark)installed on the patch cord running between the host and the Ethernet switch 
- pcaps posted above filtered using "not (eth.addr==ff:ff:ff:ff:ff:ff or stp or ssdp)" prior to posting
- Host capture procedure:
* Start capture
* ipconfig /flushdns
* Refresh page in browser
* Stop capture

Rule-out
I have been reading about DNS over QUIC ... but I see no sign of QUIC in the pcap
And I rule out the local hosts file

C:\>dir hosts /s
 Volume in drive C is SSD
 Volume Serial Number is [...]

 Directory of C:\Windows\System32\drivers\etc

12/07/2019  01:12 AM               824 hosts
               1 File(s)            824 bytes

 Directory of C:\Windows\WinSxS\amd64_microsoft-windows-w..ucture-other-minwin_31bf3856ad364e35_10.0.19041.1_none_eb30aafa046f78ad

12/07/2019  01:08 AM               824 hosts
               1 File(s)            824 bytes

     Total Files Listed ...
(more)
edit retag flag offensive close merge delete

Comments

What do you see after running ipconfig /displaydns a few seconds after running ipconfig /flushdns? For example, do you see 23.74.131.109 anywhere? Do you have more than 1 active interface and if so, is it possible that the missing DNS packets were exchanged on an interface you weren't capturing on?

cmaynard gravatar imagecmaynard ( 2021-01-08 14:51:53 +0000 )edit

You could also try disabling DNS caching beforehand? (Task Manager -> Services -> Dnscache -> Stop)

cmaynard gravatar imagecmaynard ( 2021-01-08 15:12:27 +0000 )edit

Hi Chris,

ipconfig /displaydns shows no sign of these addresses, and disabling the other Ethernet NICs in the box did not change behavior -- more pcaps (and displaydns output) posted to the Web site

However, you got me looking more closely at the pcaps, and I'm noticing these short UDP frames being sent after the DNS query but before the DNS responses arrive. UDP frames with what looks like an encrypted payload, sent to IP addresses owned by an entity which WHOIS calls 'Total Server Solutions'

More investigation needed

--sk

Stuart Kendrick gravatar imageStuart Kendrick ( 2021-01-08 17:47:03 +0000 )edit

OK, I've tried several browsers (FF, IE, Chrome); they each display the same pattern:http://www.skendric.com/dns/W... The Client emits the A Record query, then it emits a UDP frame to an IP address registered to Total Server Solutions, Total Server Solutions returns a response, and then the DNS server returns an A Record response. The Client sends a TCP SYN to an IP address which does not appear in the pcap nor in the output of ipconfig /displaydns

Speculatively, sounds like some kind of competing DNS resolver installed on the Client

--sk

Stuart Kendrick gravatar imageStuart Kendrick ( 2021-01-08 18:13:57 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-01-08 18:59:18 +0000

Stuart Kendrick gravatar image

OK, so stopping the AVG anti-malware service eliminates these UDP encrypted frames and the Client then issues its first TCP SYN to the A Record which it receives in the DNS Response, following the classical approach.

So, to answer my question, looks like some anti-malware packages watch the DNS Resolver, perform their own DNS look-ups using an encrypted, UDP-based protocol against their own DNS servers (well, loaded on top of a world-wide infrastructure managed by Total Server Solutions), and ... here I'm unclear how they manage this -- hand the result to the querying application, superseding what the OS-native Resolver has placed there.

That's neat. Smells like an attractive target for a nation-state actor, too

Anyway, thank you Chris for getting me to dig more deeply. Best,

--sk

edit flag offensive delete link more

Comments

Another thing you could try is to simultaneously capture on the loopback interface for DNS queries to a locally installed resolver that then resolves addresses securely via DNS/TLS (or DOH or DNSSEC, I forget which - in your case it looks like DNS/TLS?).

I recall some time ago I attended a webinar about precisely this, although I can no longer find or remember the details. I do know that one of the presenters was concerned about DNS visibility and I suggested using either Wireshark w/Npcap capturing on the loopback interface or using Rawcap to accomplish the same thing in order to be able to see the unencrypted queries.

cmaynard gravatar imagecmaynard ( 2021-01-08 19:52:35 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-01-08 12:29:46 +0000

Seen: 456 times

Last updated: Jan 08 '21