Home » Information, OpenSourceSoftware, passivedns » PassiveDNS 0.2.9
Jan
17

PassiveDNS 0.2.9

I added some features and changes to PassiveDNS. The most important change is that the output now contains the TTL value, so you need to use the current tools/* (if you use them) as they are also changed to work with this new output format (or update your own tools).

I also added the ability to specify the DNS record types that you want to log from the command line and I added support for more record types. PassiveDNS now should be able to track: A, AAAA, CNAME, DNAME, NAPTR, SOA, PTR, RP, SRV, TXT, MX and NS.

Support for chroot and dropping privileges are also added.

I also added some features to tools/pdns2db.pl while I was at it:
1) You can now process a passivedns.log file in “batch” mode, exiting when finished.
2) You can now specify a file with a list of domains or IPs to skip insertion to the DB.
3) You can now specify a file with a list of PCRE (Perl Compatible Regular Expressions) of “domains/IPs” to skip insertion to the DB.
4) You can now specify a file with a list of domains or IPs to alert on!
5) You can now specify a file with a list of PCRE of “domains/IPs” to alert on!
6) You can now specify a file with a list of domains to whitelist and not alert on.
7) You can now specify a file with a list of PCRE of “domains/IPs” to whitelist and not alert on.

The skiplists will be checked first, and if the domain/IP is found/matched there, whitelist and blacklist will be ignored and insertion to DB will be ignored.

Next the whitelists will be checked, and if a domain/IP is found there or match a PCRE that you have defined it will not be checked by the blacklist.

Last the blacklists is checked, and if a domain/IP is found there or match a PCRE that you have defined, it will write the PassiveDNS record to the alert file that you specify (Default: /var/log/passivedns-alert.log).

There are different sources for getting lists of known bad domains. Here is one if you want to test the blacklist functionality: http://isc.sans.edu/feeds/suspiciousdomains_High.txt

Im pretty far as what it comes to planed features at this stage. Please try out PassiveDNS and beat the crap out of it :) I will probably “up” the version to 0.5.0 soon and from there on, it is just testing and testing and more testing before it will be a “one dot O” release.

If you have any issues with PassiveDNS, please submit them here.

5 Responses to “PassiveDNS 0.2.9”

  1. Jens-Harald Johansen
    January 19th, 2012 at 13:28 | #1

    Good job :)

  2. Karl Martin Sola
    January 20th, 2012 at 09:48 | #2

    I’m impressed. Thanks!

  3. Jens-Harald Johansen
    January 25th, 2012 at 15:07 | #3

    Running in chroot mode now and adding data to database every 5 minutes.
    Looking good…

  4. Jens-Harald Johansen
    January 25th, 2012 at 15:12 | #4

    In case anyone needs to compile it on a Ubuntu 8.04.
    I had to download the latest openssl and ldns and compile them before I got your code to compile.
    Just remember to use the –with-ssl parameter when compiling ldns and point to the latest openssl path.

  5. Karl Martin Sola
    February 8th, 2012 at 10:05 | #5

    @Jens-Harald Johansen
    That sounds like a good idea. How have you implemented that 5 minute database add, Jens-Harald?

Add reply