Packetbeat DNS: Decode punycode in internationalized domain names

[andrewkroh]

Packetbeat's DNS module should detect internationalized domain names and automatically decode the punycode to unicode and send the data as a new field.

As a user I'd like to be able to read back what the original domain name was when it was accessed by the someone on my network. Punycode encoded domain names don't resemble their unicode form at all.

For example if you see an internationalized domain name query for xn--pple-9na.com it's not obvious that this is likely a phishing attack until you see that xn--pple-9na.com is âpple.com.

Resources:

• https://en.wikipedia.org/wiki/Punycode
• https://en.wikipedia.org/wiki/Internationalized_domain_name
• https://godoc.org/golang.org/x/net/idna#ToUnicode

[elasticmachine]

Pinging @elastic/secops

[andrewkroh]

The presense of the decoded punycode field could be used as a substitue for having a separate field like domain.is_internationalized.

And we shouldn’t limit this to only Packetbeat DNS, because it would also be useful with HTTP hosts or TLS SNI values.

[webmat]

Likely interesting for ECS as well, when we get around to this.

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.