DEF CON Wall of Sheep Gets a DNStap

Not all network taps are a bad thing. DNS luminary Paul Vixie talks DNStap and its security applications.

By Sean Michael Kerner | Posted Aug 11, 2015
Page of   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

A hallmark of the annual DEF CON security conference in Las Vegas is the Wall of Sheep area, where attendees get to try and find the "sheep" - that is, conference attendees who have sent their credentials in the clear across the network. The sheep are shamed by having their credentials shown on a projected screen. There is another side to the Wall of Sheep, though. That's the speaker series, which this year included none other than DNS luminary Paul Vixie.

While the purpose of the Wall of Sheep is to use network taps to find and shame users, Vixie's talk was about getting data to help inform network security.

Vixie is well known in the DNS community for creating the BIND DNS server, and he is also well known in the security community. He is currently the CEO of Farsight Security, which leverages DNS as well as other network information to help provide security insight. At the Wall of Sheep, Vixie gave a standing room only talk about a technology called DNStap.

At a high-level, DNStap is a flexible, structured binary log format for DNS software.

"What we're trying to do is to up level the collection of DNS data," Vixie said. "As far as I know, we [Farsight Security] have the largest DNS sensor network, but it's not growing as fast as I'd like it to grow."

One of the reasons DNS data can be difficult to obtain is that a network admin might just do a TCPdump command, which isn't efficient. With DNStap, the idea is to have a first-class software object that is open-source middleware and can add features to existing name servers, like BIND or Unbound.

"We can go to each technology vendor and tell them we have a patch that will allow name servers to generate telemetry in an open-source and unencumbered way," Vixie said.

Adding the additional DNS insight has the potential to help any organization, since the technology is all open-source. That said, Vixie said that Farsight Security isn't a non-profit, and he selfishly also wants to make it easier for organizations to collect DNS data so that his organization will be among those that benefit.

"We want people to trade their information with us for services," Vixie said. "We're trying to build a new foundation for the idea of DNS telemetry."

Farsight Security offers a number of services that provide security and visibility into network events, including DNS on a global scale.

"I expect that there will be all kinds of non-Farsight Security frameworks that will speak this [DNStap] API," Vixie said. "Even with our current sensor, it's open-source and people are running it, apart from us, they just run the sensors and run their own local collectors."

With better tools, which is what DNStap is about, Vixie expects that collection of DNS data for security and network visibility will become increasingly common.

Sean Michael Kerner is a senior editor at Enterprise Networking Planet and Follow him on Twitter @TechJournalist.

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter