From 0c54748749ec6e19fd6e916e4298793cc7ea8e28 Mon Sep 17 00:00:00 2001
From: Thomas Stromberg <t+github@chainguard.dev>
Date: Wed, 21 Sep 2022 13:30:44 -0400
Subject: [PATCH] Add detector for mysterious DNS traffic

---
 net/unexpected-dns-traffic.sql | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 net/unexpected-dns-traffic.sql

diff --git a/net/unexpected-dns-traffic.sql b/net/unexpected-dns-traffic.sql
new file mode 100644
index 0000000..27d2a87
--- /dev/null
+++ b/net/unexpected-dns-traffic.sql
@@ -0,0 +1,20 @@
+-- Catch DNS traffic going to machines other than the host-configured DNS server
+-- NOTE: This only supports IPv4 traffic due to an osquery bug with 'dns_resolvers'
+SELECT
+  s.family, protocol, s.local_port, s.remote_port, s.local_address,
+  s.remote_address, p.name, p.path, p.cmdline AS child_cmd, p.cwd, s.pid, s.net_namespace,
+  p.parent AS parent_pid, pp.cmdline AS parent_cmd, hash.sha256,
+  CONCAT(p.name, ',', remote_address, ',', remote_port, ',', protocol) AS exception_key
+FROM process_open_sockets s
+LEFT JOIN processes p ON s.pid = p.pid
+LEFT JOIN processes pp ON p.parent = pp.pid
+LEFT JOIN hash ON p.path = hash.path
+WHERE remote_port IN (53,5353)
+AND remote_address NOT LIKE "%:%"
+AND remote_address NOT IN (
+    SELECT address FROM dns_resolvers WHERE type='nameserver' and address != ''
+)
+AND NOT child_cmd = '/usr/lib/systemd/systemd-resolved' -- misconfiguration?
+AND exception_key NOT IN (
+    'systemd-resolve,192.168.50.1,53,17'
+)