Home » Information, OpenSourceSoftware, Security, passivedns » Passive DNS and PassiveDNS/PRADS
Apr
29

For those of you not familiar with the concept of Passive DNS, there are lots of stuff on it on the intertubes…

Just some of the links:
Some use cases: http://conferences.npl.co.uk/satin/presentations/satin2011slides-Rasmussen.pdf
A public passive dns db: http://www.bfk.de/bfk_dnslogger.html?query=sans.org#result
Or just click here: http://lmgtfy.com/?q=passivedns

I have not found any good tools yet that lets you build your own passive DNS DB, so I have started to walk down that path…
First off, I have coded a DNS sniffer (passivedns) I have ported the same functionality over into PRADS. All code is in beta at the moment.

I announce this release, so if anyone is interested, I will take input on the output format :)
My first tests shows that the passive DNS data collected on a small network is too much… My plan is to implement a in memory “state” so that it don’t prints out the same record more than X times over a time interval (say, if a record is the same, just print it once a day, but if it changes, print it immediate). When that is done, Ill write a parser to feed it into a DB and a query tool to fetch passive DNS records on request.

Feedback is always welcome!

4 Responses to “Passive DNS and PassiveDNS/PRADS”

  1. Bryan N
    May 2nd, 2011 at 08:42 | #1

    Potentially very handy tool, is there any plans to have an option to print all DNS queries (like httpry but for DNS)

    i.e. replacing the “hostname” placeholder with the actual ip of the device making the DNS query?

    timestamp||query_src_ip||dns_server_ip||

  2. May 2nd, 2011 at 08:56 | #2

    One of my goals with the post was to get some feedback on what information people think should be in the output format. ATM. geting the query_src_ip is not trivial, but geting the dst_ip is (The IP the server sends the DNS reply to). In most common cases, the dst_ip should be the same as query_src_ip. But all this is spoofable, so one needs to build in (at least) some basic udp-session tracking (A client needs to ask for a record before the server send the answer to it.). Great input Byan. Thanks.

  3. potato
    August 10th, 2011 at 23:35 | #3

    Bro can do some pretty good DNS parsing and spit it out to a log file. I’ve got a few policy files I can throw you if you want!

  4. August 27th, 2011 at 07:33 | #4

    potato: If you could make them public, that would be great. Maybe post them on the Bro email list (Im also there). But yes, I would be interested in such :) The thing with a small app that just does passivedns is that you dont have to install “too much” for a simple thing. I know some CERTs that would love this tool, but can not implement Bro, as Bro has functions that the CERT would have problem explaining to legal people etc.
    E

Add reply