How to find the DynamicDNS an IP address from LAN connects to ?



  • Hallo,

    I have got a question. I am using pfsense 2.0.1 and squid in transparent mode.

    I know that someone on my network is establishing an OpenVPN connection to an IP address with port 1194 and 1195.
    I know the IP addresses but they are dynamic addresses of a home connection. DNS Reverse Lookup cannot resolve the IP. Squid isn't filtering this kind of traffic and I don't know how to find out the domain name.

    Probably it would be possible to do a packet capture on this IP and port but is there any other way to solve this problem ?

    Thank you for your help!



  • I think you need to better define the problem…

    Block them?  Block 1194 and 1195 outbound to the class b of the IPs.

    Find them?  Match the internal IP with the system name in the arp table.  (and optionally block or flag that MAC)



  • Hi,

    thank you for your feedback. I need to find the destination IP the client connects to.

    What I have is:
    LAN IP: 192.168.0.100
    Destination IP: 60.61.62.63 (just an example)
    Destination Port: 1195

    I need the DNS of the destination IP. The DNS Lookup does not give me any results but I know that it must be something like blah.dyndns.com and this is what I need to find out.

    The client is using the pfsense LAN interface as DNS - if this is important.

    I hope this makes it clear :-)



  • It sounds like what you are looking for is a packet capture with a filter to select (TCP connects to port 1194 or port 1195) or (UDP to port 53)
    then when you see TCP connects you backtrack through the capture looking for "recent" DNS response with the IP address that is the destination of the TCP connects then backtrack to the matching DNS request which should have the name you are looking for.

    If the client has a "fixed" or known IP address then the filter can select only packets from that address which should significantly reduce the capture data to be examined.

    If you don't do this sort of thing frequently you will probably have to put in some time to dredge through the tcpdump and associated man pages and experiment to get the filter details correct.



  • @wallabybob:

    It sounds like what you are looking for is a packet capture with a filter to select (TCP connects to port 1194 or port 1195) or (UDP to port 53)
    then when you see TCP connects you backtrack through the capture looking for "recent" DNS response with the IP address that is the destination of the TCP connects then backtrack to the matching DNS request which should have the name you are looking for.

    If the client has a "fixed" or known IP address then the filter can select only packets from that address which should significantly reduce the capture data to be examined.

    If you don't do this sort of thing frequently you will probably have to put in some time to dredge through the tcpdump and associated man pages and experiment to get the filter details correct.

    Thank you. I know about packet capture as I said in the first post. Hoped that there would be some other - easy to use feature - within pfsense  ;)
    The pfsense paket capture is not able to capture on multiple ports, isn't it ? Just all ports or one defined, right ?


  • LAYER 8 Global Moderator

    "I know that it must be something like blah.dyndns.com"

    And how do you know that??  He might just be connecting the IP why does he have to be using a fqdn to access it?

    And if your interested in blocking the traffic - why does it matter, just block the port or the IP he is connecting to, or the network that IP is on, etc.



  • @johnpoz:

    "I know that it must be something like blah.dyndns.com"

    And how do you know that??  He might just be connecting the IP why does he have to be using a fqdn to access it?

    Because I know the OpenVPN config gile - now. So this is just interesting for future purposes.

    @johnpoz:

    And if your interested in blocking the traffic - why does it matter, just block the port or the IP he is connecting to, or the network that IP is on, etc.

    Changing OpenVPN port is easy, the IP changes periodically every 24h.

    Further it will help me if I need to write something for my boss or someone else.
    I know how to block this traffic and so on and I know that I can use a packet capture but my question was pointing to if there is another "easy-to-use" option in pfSense to get information about something like that.
    If there isn't any - no problem. Just want to be sure :)

    But nevertheless thank you for your time and answers :)


  • LAYER 8 Global Moderator

    "Because I know the OpenVPN config gile"

    You mean you have the config file?  I use an IP in my config file all the time.  So not sure what that statement is suppose to mean?

    Yeah changing the port is easy, changing the netblock he is on - not so much ;)  If you going to block fqdn, he could just use IP.  Or for that matter any of the 1000's of other dyn dns domain names out there.

    There is no way to lookup a dyn dns name from the IP, ie PTR – depending on his ISP there might be a PTR for his IP but its not going to point to his dyn dns name he is using.

    If he is using your dns, then you could look in its cache if you know the IP.  Then again dyn dns normally only has a TTL of a couple of minutes.  So even if he looks it up to connect, it would be out of your cache very quickly.



  • Ok, don't think this will help me any further.

    Thank you for your time.


  • LAYER 8 Global Moderator

    I guess you could break your dns to not expire on the TTL, but that is just asking for issues.  So that the record would stay there and you could look for the ip in your cache to see what is up.  Or you would have to catch it in there before it expires.  Maybe the one he is using is using a longer TTL?  But normally dyn ones are very short.  example mine is 60 seconds.

    
    ; <<>> DiG 9.8.1-P1 <<>> @ns1.dyndns.org snipped.homeip.net
    ; (2 servers found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17027
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 9
    ;; WARNING: recursion requested but not available
    
    ;; QUESTION SECTION:
    ;snipped.homeip.net.            IN      A
    
    ;; ANSWER SECTION:
    snipped.homeip.net.     60      IN      A       24.13.xxx.xxx
    
    ;; AUTHORITY SECTION:
    homeip.net.             86400   IN      NS      ns5.dyndns.org.
    homeip.net.             86400   IN      NS      ns4.dyndns.org.
    homeip.net.             86400   IN      NS      ns3.dyndns.org.
    homeip.net.             86400   IN      NS      ns1.dyndns.org.
    homeip.net.             86400   IN      NS      ns2.dyndns.org.
    
    snipped to help keep output shorter.
    
    ;; Query time: 39 msec
    ;; SERVER: 204.13.248.75#53(204.13.248.75)
    ;; WHEN: Mon Jul 23 10:58:06 2012
    ;; MSG SIZE  rcvd: 344
    
    

    Now if I look up the ip, I do get a PTR record - but is the ISPs record - and has nothing to do with the dyn dns forward I have setup.

    ;; QUESTION SECTION:
    ;xxx.xxx.13.24.in-addr.arpa.    IN      PTR

    ;; ANSWER SECTION:
    xxx.xxx.13.24.in-addr.arpa. 7200 IN      PTR    c-24-13-xxx-xxx.hsd1.il.comcast.net.

    Your other option as already stated is sniffing your traffic for dns queries that return that IP in them.

    Wish could help you - but what your asking is just not something that can be done.  The dyn dns companies do not own the netblocks the users are on, so can in no way setup PTR for them.  PTRs have to be setup by the org that owns the address space.

    If what your looking for is a easy way to block the outbound openvpn connections - we might be able to find alternative ways detecting this sort of traffic and then killing it.  It is possible to detect openvpn via DPI, because openvpn does not do your typical ssl handshake - so it is possible to detect it and prevent it.  Problem is, its also possible to tunnel the ssl through a normal ssl tunnel to prevent this type of detection ;)



  • @johnpoz
    You helped me. You gave me some good tips. There will be other - non technical - solutions which will stop this kind of traffic. It is just a kind of forensic :)


Log in to reply