Introduce DNS processing code

[openargus]

Argus-5.0 supports full packet capture for the monitored control plane, which means that DNS flows will have the complete DNS request and response content in the flow records. radump.1 can parse out these buffers, but to work with the contents, such as building a passive DNS capability, you need to really get into processing the complete contents of the DNS records.

Radns.1 can process historical DNS data, from either dns queries or multicast dns advertisements, and track the DNS servers, their clients, the queries and responses.

Radns.1 will also process all argus records that it sees, and verify that there is a DNS cache for the address that is being used. This feature allows you to 'know' what IP address references occur with a DNS lookup.

[openargus]

Initial code introduction and release ...

[openargus]

radns.1 is now a part of argus-client-5.0.0, which uses the control plane data capture buffers to extract dns name requests and responses and to maintain a real-time cache of active DNS names in the flow data stream. The real-time daemon can be queried for active DNS names and resolution information, it can generate alerts for new servers and clients, and it can be configured to generate events when an IP address is used without being learned through DNS. Radns.1 is used to generate a passive DNS information system using some provided scripts that can insert and query a mysql database.

Because local DNS is susceptible to exploitation, having DNS data generation at the endpoints is an important part of Zero Trust endpoint network awareness. What DNS names were used, who resolved the query, what address was returned. Without the data, it is difficult to realize that a local DNS attack is being used by an attacker.