Home » Information, OpenSourceSoftware, Security, passivedns » PassiveDNS version 1.0
Jan
01

PassiveDNS version 1.0

Im happy to announce that my PassiveDNS has reach version 1.0 (stable)!

For those of you who has played with earlier versions, the biggest changes in the last tags is the log output format:

Old:
1341819126||1.2.3.4||8.8.8.8||IN||www.google.com.||A||173.194.32.7||300

New:
1341819126.845527||1.2.3.4||8.8.8.8||IN||www.google.com.||A||173.194.32.7||300||17

I added microseconds to the unix timestamps, and also added a count field (the last field). The count field outputs how many times it has seen a query answer since it last printed it as PassiveDNS if you use caching. If you run PassiveDNS with -P 0 (No caching), it should always output 1.

Running PassiveDNS with default options, it will look something like this for a domain:

1341500304.265705||1.2.3.4||8.8.8.8||IN||www.facebook.com.||A||69.171.247.21||45||1

1341779965.656576||1.2.3.4||8.8.8.8||IN||www.facebook.com.||A||69.171.247.21||107||11

This means that in the time PassiveDNS was running, a query for www.facebook.com. returned 69.171.247.21 12 times in total. 11 of the entries happened between the configured “print time”. ( -P Seconds between printing duplicate DNS info (default 86400). )

So if you have any custom tools for parsing the output, you probably need to update it, before you upgrade to v1.0. pdns2db.pl which you will find in the tools/ dir has patched to handle the change.

Now that v1.0 is out, I will work with releasing new versions of PassiveDNS. In versions to come, I will make it so that you can customize the output fields via the command line.

BTW, I have also added a bit more statistics when passivedns 1.0 ends. It looks something like this:

– Total DNS records allocated : 15726
– Total DNS assets allocated : 23259
– Total DNS packets over IPv4/TCP : 0
– Total DNS packets over IPv6/TCP : 0
– Total DNS packets over TCP decoded : 0
– Total DNS packets over TCP failed : 0
– Total DNS packets over IPv4/UDP : 222139
– Total DNS packets over IPv6/UDP : 0
– Total DNS packets over UDP decoded : 222133
– Total DNS packets over UDP failed : 6
– Total packets received from libpcap : 463374
– Total Ethernet packets received : 463374
– Total VLAN packets received : 0

You can download the 1.0 release in tar.gz or in zip.

Or you can find the project on github.

Version 1.0 has been tested extensively and should be considered stable and production ready. But if you find any issues, please don’t hesitate to report your findings here.

Hacky New Year by the way!

2 Responses to “PassiveDNS version 1.0”

  1. chalo
    October 12th, 2013 at 02:33 | #1

    CONGRATS about the work! I just read Jaimes Blasco’s (AlienVault) and downloaded the tool which seems VERY NICE and everything works as advertised.
    Only question is –> How do I get to PassiveDNS’s web interface so I can also use a browser to parse the data as shown here:
    http://www.alienvault.com/open-threat-exchange/blog/identifying-suspicious-domains-using-dns-records

    THANKS AGAIN for the excellent work!

  2. October 12th, 2013 at 07:34 | #2

    Hi chalo,

    You should use pdns2db.pl so an aggregation of the logs gets into a mysqldb. Then you can deploy https://github.com/gamelinux/passivedns/tree/master/www/index.php on a webserver that is php enabled and has php-mysql support. Edit the index.php so it points to your database etc. You should be good to go.

    Regards,
    Edward

Add reply