search

gamelinux / passivedns

A network sniffer that logs all DNS server replies for use in a passive DNS setup
http://gamelinux.org/
1.67k stars 372 forks source link

Add to roadmap - AXFR & IXFR #16

Open elhoim opened 12 years ago

elhoim commented 12 years ago

Add AXFR & IXFR RR types

gamelinux commented 12 years ago

To do this, I will need pcap of the above mentioned traffic.

elhoim commented 12 years ago

http://pcapr.net/browse?q=AXFR http://pcapr.net/browse?q=IXFR

On Sat, Feb 25, 2012 at 20:01, Edward Fjellskål reply@reply.github.com wrote:

To do this, I will need pcap of the above mentioned traffic.

Reply to this email directly or view it on GitHub: https://github.com/gamelinux/passivedns/issues/16#issuecomment-4175202

gamelinux commented 12 years ago

Thanks, now I just have to remember my pcapr login :)

gamelinux commented 12 years ago

./passivedns -X46CDNPRSOn -l - -r DNS-AXFR.pcap ... 1174885336||10.157.6.234||10.157.6.140||IN||yourmom.com.||SOA||snake.||3600 1174885336||10.157.6.234||10.157.6.140||IN||yourmom.com.||NS||snake.||3600 ...

I cant see that there is something to do here. The Answer says its AXFR, but that really dont contain any usefull data, so I skip that. But its the other data in the DNS payload that holds the interesting information, like in that AXFR pcap, it holds the SOA and NS, which we catch with the "O" and "n" flag.

Is there something more I should look into here you think ?

elhoim commented 12 years ago

Yeah, but what about a line mentioning that there is an AFXR/IXFR ? It needs to have a different format than the other lines to make sense. Or put field(s) that have no meaning to a "NULL" value, ie: 1174885336||10.157.6.234||10.157.6.140||IN||yourmom.com.||AFXR||snake.||-

On Mon, Feb 27, 2012 at 14:36, Edward Fjellskål reply@reply.github.com wrote:

./passivedns -X46CDNPRSOn -l - -r DNS-AXFR.pcap ... 1174885336||10.157.6.234||10.157.6.140||IN||yourmom.com.||SOA||snake.||3600 1174885336||10.157.6.234||10.157.6.140||IN||yourmom.com.||NS||snake.||3600 ...

I cant see that there is something to do here. The Answer says its AXFR, but that really dont contain any usefull data, so I skip that. But its the other data in the DNS payload that holds the interesting information, like in that AXFR pcap, it holds the SOA and NS, which we catch with the "O" and "n" flag.

Is there something more I should look into here you think ?

Reply to this email directly or view it on GitHub: https://github.com/gamelinux/passivedns/issues/16#issuecomment-4193454

gamelinux commented 12 years ago

Different format it needs, yes. 1174885336||10.157.6.234||10.157.6.140||IN||yourmom.com.||AFXR||snake.||- Will not be the best in my eyes, as the info that snake.yourmom.com is a SOA record is not there.

So, We are looking at the answers from the servers, we could do something like: 1174885336||10.157.6.234||10.157.6.140||IN||yourmom.com.||SOA||snake.||0||AFXR

Where the last field could be additional information, that it was an anser to an AFXR.

But that said, on the roadmap, I would like to implement a way so that the user can control all the output. The default output would be set, but if the user need or want something extra, it should be easy to add features without breaking existing setups etc., Like: ./passivedns -f "%ts||%cip||%sip||%rrc||%qu||%qt||%an||%ttl"

Which would be our current format.

Additional fields could be to output