Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

Reporting

Reply

Dangling CNAME Report

[ Edited ]
Adviser
Posts: 33
1795     0

Dangling CNAMEs are essentially CNAMEs in your authoritative zone that point to 3rd party recourses that no longer exist and could be reused by adversaries as a subdomain takeover.

 

This concern has come up a few times so this basic solution is what I came up with working within the confines of the Infoblox NIOS Reporting platform:

 

High level: 

 

  • CSV export all CNAMEs from a zone via GUI or API (be sure to export in Infoblox CSV import format)
  • Upload this CSV file to Reporting as a lookup and add a lookup definition
  • Load the Dangling CNAMEs dashboard

 

This will provide a report of all CNAMEs in a zone that fail to resolve to an IP address.

 

This could be run as a scheduled report to keep the results automatically updated and also trigger alerts and/or send an email with the results.

 

There are some issues which include keeping the current list of CNAMEs current as this would require periodic updating and there is not an API/automatic method to push this into the Reporting. The other issue is that the available dnslookup Splunk script only looks up A records. If a CNAME happens to point to a name that only has a TXT record, for example, it won’t resolve and would therefore show up on the list of unresolved CNAMEs in the report.

 

Here is a sample of what the report would look like and how to build it:

 

Example API call to create the CSV export (or just grab it fro the GUI):

 

curl --location --request POST 'https://gridmaster/wapi/v2.9/fileop?_function=csv_export' \
--header 'Content-Type: application/json' \
--data-raw '{
    "_object": "record:cname",
    "zone":"domain-name.tld"
    }'

To upload a lookup table: Reporting -> Settings -> Lookups ->  add-new:

 

image001.png

 

Choose upload CSV file and save as cnames.csv:

 

image002.png

 

Add-new for lookup definition and add as cnames from lookup file cnames.csv:

 

image003.png

 

Go to Reporting - > Dashboards -> Create new dashboard:

 

image004.png

 

Create Dashboard and then select “Source” to edit the source. Completely replace the XML with the below snippet and save:

 

<dashboard>
  <label>Dangling CNAMEs</label>
  <row>
    <panel>
      <title>Total Dangling CNAMEs</title>
      <single>
        <search>
          <query>| inputlookup cnames |  lookup dnslookup clientip as fqdn* OUTPUT clienthost as Resolved | where isnull(Resolved) | stats count by fqdn* | eventstats sum(count) as Total | dedup Total | table Total</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="drilldown">none</option>
      </single>
    </panel>
  </row>
  <row>
    <panel>
      <title>CNAMEs not resolved</title>
      <table>
        <search>
          <query>| inputlookup cnames |  lookup dnslookup clientip as fqdn* OUTPUT clienthost as Resolved  | where isnull(Resolved) | stats count by fqdn*  | eventstats sum(count) as totalCount | table fqdn*</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">cell</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</dashboard>

Now you should have a dashboard similar to this which contains the total and full list of all the dangling CNAMEs:

 

image005.png

 

Reminder... this requires the manual upload (and updating) of the list of CNAMEs to monitor and the report will list "false positives" if a CNAME fails to resolve to an IP address for any other reason.

 

Hope this helps someone!

Steve S.

Re: Dangling CNAME Report

Authority
Posts: 14
1795     0

Hi Steve,

 

We were looking for something like this and we are trying to get this to work but get stuck.

We followed the instructions below, but we see a yellow exclamation mark in the dashboard saying that the file name cnames-csv is invalid.

We copied your XML exactly as is.

Is there a typo in the XML somewhere ?

 

Re: Dangling CNAME Report

Adviser
Posts: 33
1795     0

Thank you for catching an issue! Appears I did have a couple of typos in the XML. I have updated the XML in the original post. Go ahead and copy/replace with the full updated XML and this should now work as expected.

Steve S.

Re: Dangling CNAME Report

New Member
Posts: 3
1795     0

HI Steve,

 

Thx for resolving the issue with the XML.

As we have implemented according to your instructions.

The Dashboard works fine as far as i can see, but still it says No Results Found.

Evendough we have created the CSV file, and have setup de LookUp Table File and the LookUp Definitions. 

 

LookUp Table File:

/opt/splunksearchhead/etc/apps/infoblox/lookups/cnames.csv

 

LookUp Definition:

cnames
file
Id,CName,CanonicalName,Owner,IpAddresses,ExportDateTimecnames.csv

 

Any idea on what might cause this, since we do not get the required output?

 

Thx in advance.

Grtzz

 

Mervin Alvares

 

Re: Dangling CNAME Report

Adviser
Posts: 33
1795     0

Hello Mervin,

 

Apologies as this appears to be my fault once again Smiley Happy The CSV export of the CNAMES must be in "CSV Import" format and not the "visible data" format.

 

When you export via the GUI be sure to choose the CSV export option of "Export data in Infoblox CSV Import Format".

 

 

I believe this may be the issue and please let me know if this is the case. You will need to generate a new export and remove/replace the cnames.csv you have uploaded and the corresponding LookUp Table file as the field mappings are different.

 

Thank you!

 

 

Steve S.

Re: Dangling CNAME Report

New Member
Posts: 3
1795     0

Hi Steve,

 

Can you explain how i can get a CSV with C-Names from the infoblox GUI?

Since i can't find the option in our Grid Manager.

 

And maybe you could clarify what you mean with:  "CSV Import" format?

And how to?

 

Re: Dangling CNAME Report

Adviser
Posts: 33
1795     0

Hi Mervin,

 

Yes, I had intended to include a screen shot in my last reply but unfortunately this did not appear.

 

To generate the CSV in Infoblox Import format you can follow these steps:

 

1. Navigate to the zone you wish to generate the CNAME export from

2. Apply a filter for Type Equals CNAME record

3. Choose the "Export" function and then the option for "Export data in Infoblox CSV Import Format"

 

This will provide a CSV output in a different format that is compatible with the CSV import function and also the expected format and columns for the Dangling CNAME Report to properly extract the data.

 

See the screen shot below for a visual example:

 

csv.jpg

 

Thank you!

Steve S.

Re: Dangling CNAME Report

New Member
Posts: 3
1795     0

Hi Steve,

 

I have managed to get the dashboard working, thx for you help.

 

Still i have a question:

The dashboard says there are a total of 528 Dangling cnames, but shows only 5 in the "CNAMEs not resolved" view.Capture.JPG

Re: Dangling CNAME Report

Adviser
Posts: 33
1795     0

I am glad to see this is at least partially working now!

 

I don't belive there was a limit set on the "CNAMEs not resolved" but perhaps there is a display issue. Can you open this panel in a search to confirm if this diplays the full listing? Hover over the lower right corner of the "CNAMEs not resolved" panel and select the magnifying glass. This should open with the actual search string being leveraged and display the results.

 

Let me know what you find and we can proceed from there.

 

Thank you!

Steve S.

Re: Dangling CNAME Report

Techie
Posts: 12
1795     0

I am also trying to do this and get the same results. Here is the search:

 

| inputlookup internal-cnames | lookup dnslookup clientip as fqdn* OUTPUT clienthost as Resolved | where isnull(Resolved) | stats count by fqdn* | eventstats sum(count) as totalCount | transpose | replace "fqdn*" with FQDN | transpose header_field=column | table FQDN

 

I replaced cnames with internal-cnames

Re: Dangling CNAME Report

[ Edited ]
Adviser
Posts: 33
1795     0

Taking a look at this again I see an update needs to be made to the search. If you change the query to the below the full results will be displayed in the table:

 

| inputlookup cnames |  lookup dnslookup clientip as fqdn* OUTPUT clienthost as Resolved  | where isnull(Resolved) | stats count by fqdn*  | eventstats sum(count) as totalCount  | table fqdn*

 

I also updated the original XML post to reflect the search query change. 

Steve S.

Re: Dangling CNAME Report

New Member
Posts: 4
1795     0

Hi Steve,
When attempting to follow your instructions, I'm getting stuck at the first step where I should add a new lookup table. Upon attempting to upload and create the cnames.csv I get the following errorError-Screenshot1.JPG:
"Encountered the following error while trying to save: Client is not authorized to perform requested action"
Have you ever encountered this error?
Thank you for your time.

Re: Dangling CNAME Report

Adviser
Posts: 33
1795     0

Hello! This error may be related to the user role internal Splunk permissions that may have changed since the previous version running in NIOS. If you haven't already, I would recommend opening a support case and Infoblox Support should be able to advise on an update or fix that could resolve this permission issue.

Steve S.

Re: Dangling CNAME Report

New Member
Posts: 1
1795     0

If you got it working, it would be great to know what resolved the error.

Re: Dangling CNAME Report

New Member
Posts: 4
1795     0

Hi Chris,

 

I got the report working but it seems to be returning inconsistent results. The report is showing CNAMEs that do resolve and get an IP in the dashboard results. I thought the report was to only show the CNAMES aside from the CNAMEs pointing to TXT records that didn't resolve and get an IP ultimately. Do you have any thoughts on this?

Adam

Re: Dangling CNAME Report

New Member
Posts: 4
1796     0

My apologies Steve,
I have a typo in my response. I said "Chris" but mean't Steve.

Adam

Re: Dangling CNAME Report

New Member
Posts: 4
1796     0

Hi,
I had to open a case with Infoblox. The Engineers researched it and discoverd its a missing permissions setting in the config file on the Reporting server. A Infoblox represenative had to log onto our reporting server to add the missing line in the config file which corrected the issue with adding and saving a lookup table. 

Re: Dangling CNAME Report

Adviser
Posts: 33
1796     0

Hi Adam, sorry it took some time on this...

 

Technically the results will list a CNAME that does not resolve for any reason. This relies on the Splunk DNS resolver function to be able to perform the lookup which is dependant on the DNS resolver configuration of the Grid or Reporting member. If the lookup fails here because recursion is not available, any time outs or access issues exist, or a different DNS view with an alternative zone copy responding with NXdomains is matched then the report will result with an unresolved CNAME. 

 

My suggestion would be to review the DNS resolution path the Reporting member is leveraging to validate if all of the CNAMEs in question can be resolved here. If so, there could be some other reason why the Reporting appliance is not able to resolve these which would need to be further investigated.

Steve S.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You