Skill Name: HTTP/HTTPS Client Fundamental
Categorize Tag: HTTP
Skill Content: In a normal Web browsing session, before the HTTP/HTTPS request-response session, a DNS query-reply communication behavior will be generated.
Skill Description: In a general case, all normal communications of HTTP/HTTPS should send DNS query before client host connect to a Web server. The DNS query-reply session is made by two DNS packets at least, one packet is DNS-Query packet and the other packet is DNS-Reply packet. The DNS query-reply session is the pioneer session of many Internet Protocol Services. An HTTP/HTTPS session of a normal web behavior should get the IP address of Web Server by an interacting DNS query-reply traffic.
However, there are some situations that may not have DNS traffic.
- (1) DNS Cache: the target host has been visited a few seconds ago as well as the DNS host information contained in a cache memory block.
- (2) QUIC Protocol: The Chrome browser uses a special protocol called QUIC, a UDP 443 service, to hide an encrypted DNS session which only Google knows the user's target host of HTTP/HTTPS.
- (3) IP address directly: the network traffic did not need to convert hostname into IP address. This is an unusual behavior for normal end-users but depends on the Web designer constructing the web pages and how to connect to the Web host from visitors.
- (4) Using a Relay Session: The HTTP/HTTPS client side connects to a proxy host or a relay network such as TOR and I2P. In these sessions, there are no normal DNS query-reply packets.
- (5) The hosts file: In the folder called 'etc', there is a file named 'hosts' which contains the static host name and IP address of the host name. Since the content of the 'hosts' file has been modified, the system will use the IP address from the 'hosts' file.
- (6) Malware Behavior : There are some abnormal network behaviors from malware especially the Network Worm, Trojan, RAT, Backdoor without generating a DNS query-reply traffic to perform infection behavior or C&C connection.
NSPA suggested display filter of Wireshark:
dns or ((http or tcp.flags.syn==1) and not (ip.src==LAN_NET/16 and ip.dst==LAN_NET/16))
Online Course: https://youtu.be/Vy3p3V0Q2A4
Analytical Example: https://www.hugediamond.net/shop
------------------------------------------------------------------------
Extent Information:
Español: En una sesión de navegación web normal, antes de la sesión de solicitud-respuesta HTTP / HTTPS, se generará un comportamiento de comunicación de consulta-respuesta de DNS.
Franch: Dans une session de navigation Web normale, avant la session de requête-réponse HTTP/HTTPS, un comportement de communication requête-réponse DNS sera généré.
German: In einer normalen Webbrowser-Sitzung wird vor der HTTP/HTTPS-Anfrage-Antwort-Sitzung ein DNS-Abfrage-Antwort-Kommunikationsverhalten generiert.
Chinese: 在正常的 Web 瀏覽會話中,HTTP/HTTPS 請求-響應會話之前,會先產生 DNS 查詢-回覆的通訊行為。
Japanese: 通常のWebブラウジングセッションでは、HTTP / HTTPS要求/応答セッションの前に、DNSクエリ-応答通信動作が生成されます。
Vietnamese: Trong một phiên duyệt Web bình thường, trước phiên phản hồi yêu cầu HTTP / HTTPS, một hành vi giao tiếp trả lời truy vấn DNS sẽ được tạo.
Thai(Siamese): ในเซสชันการท่องเว็บปกติ ก่อนเซสชันการตอบกลับคำขอ HTTP/HTTPS พฤติกรรมการสื่อสารการตอบกลับแบบสอบถาม DNS จะถูกสร้างขึ้น
Indonesian: Dalam sesi penjelajahan Web normal, sebelum sesi permintaan-tanggapan HTTP/HTTPS, perilaku komunikasi balasan-permintaan DNS akan dibuat.
Malay: Dalam sesi penjelajahan Web biasa, sebelum sesi permintaan-respons HTTP / HTTPS, tingkah laku komunikasi balas-pertanyaan DNS akan dihasilkan.
Myanmar: ပုံမှန် Web browsing session တစ်ခုတွင် HTTP/HTTPS request-response session မတိုင်မီ DNS query-reply ဆက်သွယ်ရေးအပြုအမူတစ်ခုထုတ်ပေးလိမ့်မည်။
