Dank DNS is a DNS PCAP processing tool that will efficiently stream compressed PCAPs to be loaded into a database.
The legacy implementation is located in cpp/. It contains the single threaded
processor that does all processing in memory via the tool.
The proof of concept implementation is written in JavaScript and is in js/. It
implements all of the optimizations in JavaScript and writes the DNS query data
to MongoDB.
The improved C implementation is in multiC/. This code multiprocesses the
loading of the DNS data into MongoDB. More details can be found in the
README.md file in its specific folder.
Sample query scripts can be found in query/. This directory contains scripts
to query MongoDB for queries per second (QPS), the top hosts, and top requests.
Additional documentation can be found in the README.md file of the
subdirectory.
The database will hold a collection of DNS queries. Specifically, each query will have the following schema:
node: the replica from which the query originates (e.g. cpmd)time: the timestamp of the queryreqIP: the IP address of the entity that made the requestresIP: this IP of the entity that provides the response (this should
always be 199.7.91.13)aa: the value of the AA bit in the DNS querytc: the value of the TC bit in the DNS queryrd: the value of the RD bit in the DNS queryra: the value of the RA bit in the DNS queryrc: the value of the RC bit in the DNS queryquestion: the question of the DNS query (this comprises three parts)
name: the domain name in the querytype: the query typeclass: the query classDNSSEC: whether the query uses DNSSECquestionCount: the question count for the queryanswerCount: the answer count for the queryauthorityCount: the authority count for the queryadditionalCount: the additional count for the queryFor additional details about database interactions, see any documentation in the respective subdirectories.