Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add support for print Server IP TTL #94

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

add support for print Server IP TTL #94

wants to merge 1 commit into from

Conversation

betetrpm
Copy link

Add -i option to log the IP TTL of Authority DNS, this feature can help to find the “DNS cache poisoning”。
usage:

passivedns -i any -l ~/dns.log -L ~/dnserr.log -N -Y -f HMhcspCQTAtni -X 46CDNPRSOFITMnfsxoryetaz -D

2017-04-11 15:12:18.567505||CentOS||123.56.98.121||216.239.36.10||53||udp||IN||www.google.com.||A||93.46.8.89||3004||1
2017-04-11 15:12:18.616379||CentOS||123.56.98.121||216.239.36.10||40||udp||IN||www.google.com.||A||172.217.27.132||300||1
2017-04-11 15:13:05.737046||CentOS||123.56.98.121||204.13.250.34||169||udp||IN||www.twitter.com.||A||46.82.174.68||2985||1
2017-04-11 15:13:05.752187||CentOS||123.56.98.121||204.13.250.34||53||udp||IN||www.twitter.com.||A||93.46.8.89||3022||1
2017-04-11 15:13:06.005611||CentOS||123.56.98.121||204.13.250.34||36||udp||IN||www.twitter.com.||CNAME||twitter.com.||600||1
2017-04-11 15:13:06.005611||CentOS||123.56.98.121||204.13.250.34||36||udp||IN||twitter.com.||A||104.244.42.193||1800||1
2017-04-11 15:13:06.005611||CentOS||123.56.98.121||204.13.250.34||36||udp||IN||twitter.com.||A||104.244.42.65||1800||1

there are three fake responses in this log, only IP TTLs are different from real.

2017-04-11 15:12:18.567505||CentOS||123.56.98.121||216.239.36.10||53||udp||IN||www.google.com.||A||93.46.8.89||3004||1
...
2017-04-11 15:13:05.737046||CentOS||123.56.98.121||204.13.250.34||169||udp||IN||www.twitter.com.||A||46.82.174.68||2985||1
2017-04-11 15:13:05.752187||CentOS||123.56.98.121||204.13.250.34||53||udp||IN||www.twitter.com.||A||93.46.8.89||3022||1

@gamelinux
Copy link
Owner

Hi, and thanks for the pull request!

I'm still giving a lot of thought into this. I'm not sure if this is something that should go into code, so I'm asking all reading this to please give your opinion :)

Thoughts:
I can see that this is useful in your case, but passivedns was never meant to be an "IDS" for DNS traffic. Wild guess, but 99.9999999999% of the traffic pdns inspects (with valid tuples) the TTL value will probably be the same. But implementing the pull request will add overhead to the structs of (packet_info,) pdns_asset and pdns_record, and also a tad of computation. In my case, this is not significant, but maybe people are running this on smaller devices or high traffic devices where this might be big changes.

Most of the people I've spoken to run passivedns between clients and DNS proxies. Spoofing can still happen on the local network, but then you have far worse problems I would guess.

I appreciate any feedback here from community here :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@betetrpm @gamelinux