DNS Collector is a tool for handling DNS traffic data on UNIX-like systems. The application extracts raw DNS packets from TCP/IP traffic. Acquired DNS packets are passed to individual modules for further processing.
The application can be used everywhere it is necessary to process DNS traffic. Particular deployment depends on modules being used.
The application handles:
- archived TCP/IP traffic stored in libpcap readable format
- live traffic being directly captured on network interfaces
The application de-fragments packets and keeps track of TCP connections. It is able to capture traffic on multiple network devices. However, it does not allow to combine traffic from network interfaces and archived traffic. Archived traffic may be compressed by gzip or xz.
Limitations: When processing archived traffic, the application cannot handle multiple archives at once.
Processed data can be filtered using a pcap-filter within the application.
Reconstructed raw DNS data are equipped with additional information (obtained from network and transport layers) and are passed to modules for further processing.
Processing in Modules
Loadable modules are used to process raw (in wire format) DNS data. Several modules can coexist within a single collector application. Modules can be loaded and unloaded without the interruption of the main application. Modules can be configured by additional parameters thus better controlling their function.
Modules can have their own library dependencies (e.g., libldns) in order to process raw DNS packets.
Modules can be written in C or C++. Within the distributed source code there is a module capable of executing Python scripts. This scripts can be used for processing of captured DNS traffic. Python scripts can become useful in developing new functionality. You can exploit all benefits of Python by sacrificing a certain amount of performance.
- DNS anomaly detection - Detection of hidden anomalies based on statistical analysis of selected traffic attributes.
- DNS data processing in Python - Simple Python scripts can be used to process DNS traffic. Useful for fast prototyping.
DNS Collector can be run as:
- daemon: Application is fully configurable via a configuration file. Configuration is altered by changing the content of the configuration file and sending SIGHUP.
- command-line application: Configuration file may be used. The application can in a reduced extent be directly configured from the command line. This can be useful when running in batch mode.
The application can be configured via NETCONF protocol. However, this feature is in an experimental stage of development. The code for this feature is available in one of the feature git branches.
The application can be installed from source code.
Getting the Sources
Source code is available from a git repository:
git clone https://gitlab.labs.nic.cz/dns-collector.git
Code in master branch is the most stable one. Branch develop contains general enhancements and most recent bug fixes. Feature branches contain experimental functionality.
Compilation and Installation
First, the configuration script must be generated:
cd dns-collector scripts/build/autogen.sh
./configure make make install
To generate a listing of supported functionality run:
For more information on how to write own modules, information about the function of supplied modules and usage examples read through the project's wiki.