Jun 25, 2021

Listening to Mobile Device DNS Calls

Motivation

I wanted to see who my phone contacts when it is sitting idle. Since there is no easier way to log that on my phone itself I did the following.

TL:DR; Used my laptop as wifi access point to capture traffic from my phone and logged all domains it is trying to reach while sitting idle.

Creating a mobile hotspot

I’m using a windows 10 laptop and it is pretty straightforward to create a mobile hotspot on your PC.

Official Documentation

In short, just search for a mobile hotspot, open the settings link and enable it.

Once that is done connect your phone to that mobile hotspot. The mobile hotspot page will show the device IP as soon as it connects, note it down for later use.

Traffic Capture

Although wireshark is the default network capture tool I always use Windows Network Monitor while working with windows. The capture format that windows uses natively and the header inserted by that capture format comes with a few extra information and packet categorisation, like process etc.

Official Download Link

Once installed, run the utility as administrator, otherwise you won’t see the network interfaces. Select the wifi network and start the capture. This is the time to sit back and relax for a few minutes or maybe hours. Once you are satisfied that enough traffic has been captured from your device IP, stop the capture and save the file.

Visualise in Wireshark

I’m using wireshark to visualise and export the packets for further inspection. Simply open the .cap file in wireshark and apply the filter to see all outgoing DNS query requests. ip.src == 192.168.XXX.XXX && dns.

Select any frame and in the details section select the Name in the DNS query protocol section. Right click and apply this field as a column. You should see another column Name with the domain name.

Using wireshark you can export the displayed information as csv. Go to file and select Export Packet Dissection and selec csv.

Collecting domains

csv is easier to work with and now we can use any tool to extract the unique domains our phone was trying to reach.

import csv
import os

domains = set()

with open('packets.csv', newline='') as csvfile:
    reader = csv.DictReader(csvfile)
    for row in reader:
        domains.add('.'.join(row['Name'].split('.')[-2:]))
for d in domains:
    print(d)

This list mostly points to legitimate network traffic which is essential for the background services, but if you are brave enough you can install some shady apps and have some fun.