ESET's Stealthy MAC OUI Lookup: A DNS TXT Deep Dive

The Domain Name System (DNS), often dubbed the internet's phonebook, is a fundamental protocol. While primarily known for translating human-readable domain names into IP addresses, its versatility extends far beyond simple hostname resolution. Occasionally, a deep dive into network traffic reveals ingenious and unconventional uses of DNS, even by major cybersecurity vendors.

An Intriguing Observation in DNS Traffic

Recently, during an inspection of DNS traffic, a peculiar pattern of repeated TXT queries was observed. These queries followed a distinct format, exemplified by entries like:

TXT 04-7c-16.a.o.e5.sk

Upon closer examination, it became evident that the label within these queries—specifically the 04-7c-16 segment—corresponded precisely to the first three bytes of a MAC address. This segment is famously known as the Organizationally Unique Identifier (OUI).

Understanding the OUI and its Role

For those unfamiliar, an OUI is a 24-bit number that uniquely identifies a vendor or manufacturer. The IEEE Registration Authority assigns these OUIs to organizations, which then use them as the initial part of MAC addresses for their networking hardware (e.g., network cards, routers, switches). By looking up an OUI, one can determine the manufacturer of a device based solely on its MAC address.

ESET's Clever Approach: OUI Lookup via DNS TXT

The real intrigue began with the TXT response returned for these queries. A typical response looked like this:

"ESET-OUI:Micro-Star INTL CO., LTD."

This observation strongly suggests that ESET, a prominent cybersecurity solutions provider, is leveraging DNS TXT records to perform OUI-to-vendor lookups. Instead of maintaining an extensive local database of OUIs on each endpoint or continually querying an external API directly, ESET appears to have devised a clever, distributed lookup mechanism using its own DNS infrastructure.

Why Use DNS TXT for OUI Lookups?

This unconventional approach offers several potential advantages:

• Decentralized Updates: Updating a central DNS zone with OUI data is far simpler and more efficient than pushing database updates to countless client machines. Changes or additions to OUI assignments can be propagated quickly and globally.
• Reduced Client Overhead: Clients don't need to carry large, frequently updated OUI databases. They simply query DNS as needed.
• Leveraging Existing Infrastructure: DNS is already a critical, always-on component of network infrastructure. Utilizing it for this purpose might reduce the need for dedicated OUI lookup services or APIs.
• Stealth and Evasion Potential: While not necessarily the primary intent here, using standard DNS protocols for auxiliary data lookups can sometimes be less conspicuous than direct API calls, which might be blocked by firewalls or proxies.

However, it also presents some considerations:

• DNS Dependency: If ESET's designated OUI lookup DNS servers become unreachable, the lookup functionality would cease.
• Privacy & Traffic Analysis: While benign in this context, any metadata transmitted over DNS can be observed. This particular use case reveals the OUIs of devices on a network, which could theoretically be correlated if an attacker were monitoring DNS traffic.

Implications for Network Monitoring and Security

For cybersecurity professionals and network administrators, this discovery serves as a fascinating reminder of DNS's adaptability. It highlights how vendors can creatively integrate core networking services into their security solutions. From a monitoring perspective, such traffic patterns can be indicators of specific software or agent activities on a network.

This deep dive into ESET's OUI lookup mechanism underscores the importance of scrutinizing all forms of network traffic. Even seemingly mundane protocols like DNS can harbor sophisticated operations that contribute to a comprehensive security posture, or, if misunderstood, create blind spots.

It's a testament to the ongoing innovation in how network services are leveraged to solve complex problems, often in ways that are not immediately obvious without a closer look.