I was listening to an InfoSec podcast on the drive back from a client recently (Privacy, Security & OSINT Show) it's a really good listen and I really appreciate Michael Bazzells work. One of the items in the podcast was NextDNS, a product which I've not come across before.
NextDNS operates by you registering an account for a very modest fee and then sending all your devices DNS queries (securly via TLS) to it. It then allows you to analyse your logs, modify blocklists and understand what potential metadata, data or privacy and security leaks you may have.
I've been using the product for about a month now and have it on all my personal nodes and my professional grade Firewall, network nodes and WiFi AP's are all set to use it. The insights are amazing just using the web based UI, and I'm blocking approx 9.5% of all DNS queries.
There's also a great use case for families and blocking or restricting access to inappropriate material or simply limiting time to gaming platforms.
Why not just use my ISP or Google?
Sure, the world's largest surveillance capitalists would like you to use their DNS services (8.8.8.8) and then sell that data, that's how they got to be a Trillion Dollar company. But as a personal user why give your data on what you use the internet for, when and allow that to be tracked? How might that information be used in future? What if you're a journalist working abroad or you work in the public sector, government or law enforcement? what risks does leaking data to a foreign nation ISP present when travelling?
Cloudflare is a good alternative and I was previously using their product but you can't investigate your logs in the way you can with NextDNS. It isn't their business model to sell your data so isn't as invasive.
From an Infosec point of view and professional work, making sure you recognise your egress DNS queries and the volume of them is really useful. It automatically blocks tracking, newly registered domains, malware URL's etc. They also have a business level service that I'm eager to investigate the capabilities of, could this realistically be integrated to SIEM tool data at a business level?
Splunk that data!
CND has a team of cyber security professionals all fully certified in Splunk to the highest possible level, I'm fortunate to count myself as a member of this team. As a personal, community exercise I decided to build a Splunk App and TA using the NextDNS data.
It took a bit of work and I had to work out how to correctly CURL the logs via the API, strip the preamble from the .csv file. I got it working though and an except is below:
# CURL: - Log into your NextDNS account - Obtain your ID - Navigate to your account page: https://my.nextdns.io/account - Obtain your API key - Replace the <value> placeholders with the Key and ID values <pre> curl -X GET -H "X-Api-Key: <API key>" -s -L https://api.nextdns.io/profiles/<ID>/logs/download > nextdns.log </pre> # Splunk props.conf: <pre> # Note this needs to be placed on the UF and the IDX tier [nextdns:dns] INDEXED_EXTRACTIONS = CSV HEADER_FIELD_LINE_NUMBER = 1 HEADER_FIELD_DELIMITER =, TIMESTAMP_FIELDS = timestamp PREAMBLE_REGEX = ^timestamp,domain,query_type.* # Index time use only # Prevents un-necessary ingest of the header on subsequent ingests. SEDCMD-Header = s/timestamp,domain,query_type,dnssec,protocol,client_ip,status,reasons,destination_country,root_domain,device_id,device_name,device_model,device_local_ip,matched_name,client_name//g </pre>
It was very satisfying to work through and I've produced a series of dashboards in beta. One focuses on overall DNS stats, another potential threats to undemocratic nations (I used votes cast at the UN under ES 11/4 as the dataset) and other dashboards.
There's further to go but it has been an enjoyable exercise and good continuous personal development. Cyber security doesn't stand still and as a professional I feel the need to constantly evaluate new tools and offerings and how that can protect me and my clients from Threat Actors.
The App / TA may be found here:
- GitHub
Do follow the project on Git / Splunkbase and any feedback or enhancements gratefully received.
Comments