DNS Tales: The Bizzare Records - Lukas Forst & Martin Řepa

[Applause] [Music] Welcome and hello. Uh my name is Lucas Forest and welcome to our hitchhiker's guide through uh domain name system. Uh these are DNS tales the bizarre records or the story of 5 billion domains. Uh my name is Lucas Force. This is my uh co-founder uh Martin Japa. We are from company called Recon Wave. uh what we do is basically uh it is our job to know when our customers deploy a new application, new server, new domain and everything around DNS. So who can tell me all top level domains right it's I can basically you know organization but recon wave can tell you all the top level all all the domains our job is to scrape all the DNS's there

that there are and to know everything that is going on in this system in this talk we will deep dive into our data set uh we will show you some of the most bizarre things that we saw uh from cooking recipes to malware and then we will go a bit more into uh more security related things. Okay. So, thank you guys for coming to our talk. Uh sometimes people start their talks with a joke. So, I'm going to also start with a joke which is two antennas met on the roof, fell in love and got married. The ceremony wasn't much but the reception was excellent. So yeah, now you might be wondering how is this relevant to the talk, right?

Well, this is actually a DNS record. This is a txt record of the following Finnish domain called 24-7.fi. So those of you who has your laptops open, you can verify this with this command right now. Uh all the records that we are going to be showing in this talk, uh they should still exist. So you can be verifying this while we talk. But a small disclaimer is that we don't actually know what applications are hosted on all of these domains. All right? So if you are visiting them, just please be responsible for uh your actions. So, and before we show you more of these interesting records that we found, uh, let me just very briefly go through

the DNS background. I guess most of you are familiar with it, but just for the sake of clarity. So, DNS sometimes call as the phone book of the internet, right? Uh, I like to call it the biggest eventually consistent distributed database in the world. And the primary use case is pretty simple, right? I want to translate domains into IP addresses. But actually DNS hides a lot of other features and use cases. So now you can ask yourself if you could actually guess how many types of DNS queries there are. And the answer might surprise us uh you I mean because interestingly there is not even an official answer to this question because we are talking about definitely more

than 80 but maybe more than 100. So there are a lot of DNS types but in this talk we are going to be talking almost ex exclusively about DXT record type. So what is a DNS TXT record? Well, basically it allows you to store any text value, right? And if you allow people on the internet to store any text value, they will store literally any value. And why? Because they can, right? Uh so this is where the fun will begin. But before we go to that, of course, there are legitimate use cases for the TXT records, right? So for example, you can verify ownership of the domains to third parties or uh security features of

email infrastructure is based on top of DNS TXT records. But uh so back to what we did is uh as Lukash already suggested what we do at Trion Wave is that we are scraping a lot of open source intelligent sources to discover attack surface of our customers. uh right now we have more than 5 billion of unique host names and we are also resolving them and indexing them and keeping history of all of them. So once I was sitting and I was thinking what if I try to search for some known keywords in the txt database right there must be some Easter eggs hidden by people and oh boy there are so we are going to show you some of them. Uh first

we will show you just generally bizarre records and we will move towards more security related but also bizarre records. So what else are txt records uh used for? So come on, it's internet. So porn. Yeah, obviously. So there's a lot of porn txt records. But we are not going to be talking about that and showing it. We are not going to this level. All right. But so what else? So for example, there are a lot of YouTube links. For example, this specific one. There are literally hundreds of occurrences of this specific YouTube link. So maybe you can try to guess where this takes you, but I guess a lot of you already know. Yeah, I I saw

the dance. Okay, so it's Rick. We are never going to give you up. So what else did we find? So for example, recipes. Yeah, of course the NS is also a cookbook, right? the best chocolate cake recipe in the world. And actually, if you follow the link, you really get a nice txt file with a chocolate cake recipe, including the ingredients and icing and everything. Uh, I didn't try it though. Okay, so what else? Maybe Love Diaries. Yeah sure. Um, I miss you and I I miss you a lot and I [ __ ] love you, Eva. I love you, Mandy. I guess this is not what the authors of the original DNS RFC in 1983

anticipated, but this is the reality. The next one, this is my personal favorite and the first one I found. Uh, so this is Gabe. Gabe was having a bad day as you can read yourself and he opened his heart to a DNS and so the camera is there right so this is for you Gabe if you are watching this I want you to know that we've all been there I hope you got your work done uh I feel you and I want you to know that somebody did actually find your message and now literally hundreds of more people uh are watching this. So another proof that if you actually put something on the internet, it

eventually becomes public. Okay. So then what about source codes? Yeah, sure. You know, um so here you can see a Python snippet. Uh it's processing some spreadsheets because you know why not, right? Or HTML. Yeah, sure. In this record, you can find iframe to Canva. Uh because who needs GitHub and GitLab, right? When you can make a new subdomain for a new commit and but I guess someone had his reasons. Then completely random records. I didn't know how to call them, but internet classic Epstein didn't kill himself. This one is also a good one. So Lori was here. Contact me and I will buy you a beer. So Lori, this might get expensive for you. uh because we didn't claim a

beer but all of you you can so this is the domain I guess you could find a contact for Lori uh last one another link so it's a link to paste bin which I guess most of you know so there are a lot of links to paste bin we didn't actually manage to go through all of them but I decided to include this one particularly just for the fact that if you actually go there you can see that 73 unique visitor ers visited the link. So assuming this is the only occurrence of the link on the internet, it's actually pretty impressive that I'm not the only one who found it, right? And quite a lot of

people found it. So as I said before, if you post something online, even to a txt record, people will find it. Okay. So now we are moving more to the security related bizarre records. All right. So uh people seem to love PowerShell, right? Like a lot of us uh do or have to use it. It turns out that people are actually using takes the records as somewhat a copy paste. You know, you don't have a direct connection between your servers. So you just push it directly to txt resolve it on the other side of the world and just and just run it. So for example, here's some uh administrator trying to install Windows autopilot info and join join

some group. Um we have also another one. This one is encoded but uh this is actually very simple base 64 some powershell downloading uh strings from local network and there are so many of these like that but um this one is also super interesting. This is PowerShell. But this one is sort of like a recursive one. When somebody wrote a program that recursively goes uh and explores whatever there is on this uh this domain and and these domains and there's a whole like a script that uh gets executed only through uh resolving uh txt txt data. Honestly, I was quite impressed how uh people are actually very resourceful in terms of what they are putting into public DNS. Uh but also

malware uh loves uh DNS, right? It's uh pretty pretty established that malware is using DNS for excfiltrating data also for command and control. Um we caught this one very benign sounding name illegal website.com that actually has powershell that downloads cryptojack uh cryptojack then uh elevates its privileges and then uh installs something which is called mindergate. Super interesting stuff. So many of these in public record you can just go and search for them. Very nice. Um but it also turns out that there are people that are trying to break whatever we are doing because they are putting uh command injections into text data. So we got obligatory Bobby tables uh in uh on this domain. Um yeah with a very nice

strip everybody everybody knows it we love it. Uh we also have um clicker is not working. Yeah we also have lock for shell. Awesome. Also also very very nice. Uh our servers are not written in Java so we are good but um you know lock for shell interesting stuff also cross scripting like definitely all of that um hopefully we were not vulnerable to to uh cross scripting but that would be very very interesting to see. The more important thing that I wanted to talk about today is why people are putting very private data and secrets into public record into public DNS. So we find a lot of secrets for example API keys. We got stripe API key. Hey nice. Um we

do not publish the domain because the stripe API key is actually still active. I mean it's a test one but still um sorry you have to go and find it yourself. You can see also Python code. Why do people put Python? I don't know. We also found a pork bun uh API key that's a hosting and domain domain provider. But we also find something like very very interesting. So when we ran our database for RSA private keys like how many records do you think we could find? Because at the beginning I thought okay you know like people are people we make mistake we just copy key put it somewhere and it might have been the wrong key. However what kind of was

interesting for us was that there's over a thousand thousand unique records of RSA private keys in the public DNS data. Now this does not look right. uh people are just you know uh mistakenly typing it into a wrong window in their in their uh you know DNS provider. So, we actually went and and tried to search how and why it might make sense. And it's like very controversial, very controversial. But I'm going to claim today that for some people, for some companies, it might actually make sense to put a private RSA key into public domain DNS record. So, for example, here is private key. Here's a website. We are not censoring it because it's fine. We

think it's fine anyway. Um okay so what is RSA? RSA everybody probably knows is a public key cryptography. So basic very basically you have public and you have private part of the key. So when you want to encrypt something you encrypt it with public and decrypt with private. If you want to sign something you sign it with private and verify signature with the public one. In DNS we use RSA in something which is called DKIM or a domain key identified mail. It's very basically again technology to use to sign email. So you can actually verify that this email was sent by this domain. You can try again like this is our this is a public key. Okay, we did not make

the mistake. It's a public key. Um but only public keys can ever be published, right? We can agree on that. Now why are private keys actually private when only you know it only you could have used it. So there's a guarantee that any signed material was actually signed by you or actually by anyone who is holding that key. Right? So what happens when you publish your private key? the guarantee no longer applies and anyone can actually use it. So anything that was signed after the key was published cannot be trusted. Given the nature of DNS, you cannot prove when this key was actually published. Which means that all even the previous signatures of all emails are actually

invalidated. So you can never prove that somebody signed it before. How is this property useful? So you invalidated all signatures, you don't know what actually happened. Well, it turns out that um if you do shady business, not necessarily shady business, but if there is a court hearing and uh you go there and you and somebody, you know, points an email into your face and say, "Hey, you've wrote it. there's a digital signature but you published your private key you can just say oh no sorry I did not write that my private key is a part of a public domain somebody could have used it so plausible deniability people okay security plausible deniability this is something

very resourceful and very useful for all of us of course publishing private key can be also used when you are rotating your uh domain key identified uh private private private keys and your own cryptography. But usually from our experience, from what we found, most of these domains that have their uh private key published are somewhat related to financial companies, to investment funds. How is that possible? I don't I don't know, maybe coincidence. We don't know. Uh okay. And so lastly, we would like to show you one more bizarre uh record. and domain is actually the one that you see below the title. So it's disk.phd.gz.b64.grahamc.com. So I guess a lot of familiar words, right? You can see that this is what it

resolves to some string. So I did what all of you would do, right? You fire up bash and you start your pipeline. So first you remove the apostro, you decode the base 64 uh encoding. So you get some binary blob. So you also decompress it and then finally you put it into the file tool to see what you got. Right? So what we found is a Microsoft disk image. So this is actually a virtual disk that is literally stored in one txt DNS record by actually let's give credit to the owner of the domain which is Graham Christensen. He's a famous contributor to the Nyx OS. Unfortunately, this is quite my nemesis because I didn't manage to get inside.

My conclusion is that the disk is empty. There is no partition inside, but I could be wrong. So, you can see the domain. You could take this as another scavenger hunt of this conference. You can try to get inside. Maybe there is an Easter egg. Like if I was putting this into the DNS, I would put inside an Easter egg. Um, as I said, I was not able to get inside. If you get inside and read some files, please tell us. I'm very curious what's there. But I think there is no partition. All right. So this is the end of our short talk. Thank you all for listening to us. There is a little bit bonus for

you. You can try to take a picture or resolve it right now. these domains. Also, if you would like to hear more uh DNS uh related stuff, we are trying to post interesting blog post into the reconwave.com/blog. It's below in the right bottom. I know it's not really visible for you guys in the back. And if you have some questions, we would like to answer anything. Also, thank you. Uh also if you have some idea what keywords for example to search for in the txt data set you can come up to us after the talk and we can do it right now in our laptops. It's pretty fast. Uh we have the results in seconds so we can

have fun. Thank you so much people. It was it's great. Thank you for having us. Thank you.