search

gamelinux / passivedns

A network sniffer that logs all DNS server replies for use in a passive DNS setup
http://gamelinux.org/
1.67k stars 374 forks source link

add support for print Server IP TTL #94

Open betetrpm opened 7 years ago

betetrpm commented 7 years ago

Add -i option to log the IP TTL of Authority DNS, this feature can help to find the “DNS cache poisoning”。 usage:

passivedns -i any -l ~/dns.log -L ~/dnserr.log -N -Y -f HMhcspCQTAtni -X 46CDNPRSOFITMnfsxoryetaz -D
2017-04-11 15:12:18.567505||CentOS||123.56.98.121||216.239.36.10||53||udp||IN||www.google.com.||A||93.46.8.89||3004||1
2017-04-11 15:12:18.616379||CentOS||123.56.98.121||216.239.36.10||40||udp||IN||www.google.com.||A||172.217.27.132||300||1
2017-04-11 15:13:05.737046||CentOS||123.56.98.121||204.13.250.34||169||udp||IN||www.twitter.com.||A||46.82.174.68||2985||1
2017-04-11 15:13:05.752187||CentOS||123.56.98.121||204.13.250.34||53||udp||IN||www.twitter.com.||A||93.46.8.89||3022||1
2017-04-11 15:13:06.005611||CentOS||123.56.98.121||204.13.250.34||36||udp||IN||www.twitter.com.||CNAME||twitter.com.||600||1
2017-04-11 15:13:06.005611||CentOS||123.56.98.121||204.13.250.34||36||udp||IN||twitter.com.||A||104.244.42.193||1800||1
2017-04-11 15:13:06.005611||CentOS||123.56.98.121||204.13.250.34||36||udp||IN||twitter.com.||A||104.244.42.65||1800||1

there are three fake responses in this log, only IP TTLs are different from real.

2017-04-11 15:12:18.567505||CentOS||123.56.98.121||216.239.36.10||53||udp||IN||www.google.com.||A||93.46.8.89||3004||1
...
2017-04-11 15:13:05.737046||CentOS||123.56.98.121||204.13.250.34||169||udp||IN||www.twitter.com.||A||46.82.174.68||2985||1
2017-04-11 15:13:05.752187||CentOS||123.56.98.121||204.13.250.34||53||udp||IN||www.twitter.com.||A||93.46.8.89||3022||1
gamelinux commented 7 years ago

Hi, and thanks for the pull request!

I'm still giving a lot of thought into this. I'm not sure if this is something that should go into code, so I'm asking all reading this to please give your opinion :)

Thoughts: I can see that this is useful in your case, but passivedns was never meant to be an "IDS" for DNS traffic. Wild guess, but 99.9999999999% of the traffic pdns inspects (with valid tuples) the TTL value will probably be the same. But implementing the pull request will add overhead to the structs of (packet_info,) pdns_asset and pdns_record, and also a tad of computation. In my case, this is not significant, but maybe people are running this on smaller devices or high traffic devices where this might be big changes.

Most of the people I've spoken to run passivedns between clients and DNS proxies. Spoofing can still happen on the local network, but then you have far worse problems I would guess.

I appreciate any feedback here from community here :)