Passive DNS Testing

[openargus]

Code does a lot, needs some testing

[openargus]

There are 2 modes of operation for radns.1:

1. Process historical DNS data to make DNS resolution information available for forensics analysis
2. Process realtime streams to identify DNS anomalous behavior

We'll need to test that these 2 modes actually do some of the things it wants to do ...

• Identify new DNS servers and clients
• Track DNS resolution to a specific server
• Track which clients received specific DNS resolutions
• Alert when an IP address is being used without a prior DNS request

In historical forensics analysis, especially hunting, you will be analyzing a lot of historical IP address data, but to provide the correct context, you need the historical DNS resolution data for the time period of the investigation. So many systems will attempt to do reverse lookups NOW, for IP addresses THEN, and that really isn't helpful.

For these features, running Argus-5.0 in end systems, such as mobile laptops, tablets, vehicles, etc ... generates the DNS data needed for a complete awareness of DNS integrity. You don't have to process the data on the endpoint to get value ... you can collect the data much later, and build the

[openargus]

radns.1 and Scripts

dns parsing from argus-5.0 control plane capture is working and headed to the main branch. This capability allows you to work with DNS transactions as binary argus records, as well as JSON records. There are a few scripts that will aggregate DNS transactions, with the intention of building a persistent audit of DNS activity, thus the private passive DNS title. Also, there are perl scripts to push JSON data into mysql databases, which can be used to lookup names, TLD, NLD's, by address or by name ... These are perl scripts, that can be easily converted to python, in order to feed some AI/ML work to analyze DNS behavior.