Hello and welcome to the Thursday, September 21st, 2023 edition of the Sansonet Stormontas Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

DNSTTLs.

That's a quick diary I wrote today to look at, well, normal data.

As security analysts, we often focus on, well, malicious data and malicious traffic.

But in order to really find these anomalies that lead us to this malicious traffic,

we first have to understand what's normal.

So I'm trying to do a little serious here over the next few weeks or months,

depending on long it will take me, to talk about some of the parameters to look at.

And one parameter that's sort of interesting is this TTL, the time to live, that's being returned

with DNS responses. Best to collect that data between

authoritative name servers and your recursive name server, then you get the actual

TTL as the authoritative name server intended it. If you do use like a forwarding setup, then

the TTLs can be a little bit more iffy

because, well, they may already be reduced somewhat by the recursive name server that

you are forwarding your queries to.

What did I see for the TTLs?

Well, nothing out of the ordinary, and that's kind of a good thing. The fastest TTLs were for your

A and quad A records. Interesting that quad A was a little bit longer than the A records. Also,

the name server record was by far the longest-lived records. And that's certainly something to look for for name server records with a short detail.

That's often an indicator for malicious name servers going back to malware from years and years ago,

like for example, Fast Flux.

...