DNS plugin
The goal of this project was to create a plugin for INVEA-TECH’s Flowmon
Exporter, which can parse DNS traffic and extract DNS application data.
Flowmon Exporter allows to use various types of plugins. DNS plugin is
implemented as a process plugin. The plugin extends the capability of the
exporter with parsing of DNS application data and exporting of the parsed
data. The data are exported in newly defined items utilizing the IPFIX format
along with other exported fields.
DNS plugin for Flowmon Exporter processes DNS traffic by parsing and
interpreting some of the elements from the DNS packets. These elements are
located in the Application layer of the packet and represent essential
information for network traffic analysis. The exported DNS elements were chosen
with respect to an anomaly analysis and attack detection.
List of exported DNS fields (in current version):
- Transaction ID
- Total number of DNS answers
- Return Code
- Queried hostname
- Type of query
- Class of query
- TTL of response
- Length of response data
- Interpreted response data
- Requested UDP payload size (Additional section)
- DNSSEC OK bit (Additional section)
For more information about plugin implementation, output options, parameters
and response data interpretation details please see the README file of the
plugin.
Queried hostname and response data output sizes are limited in order to
preserve performace effectivity of the plugin.
Download and Installation
Package of the DNS plugin for Flowmon Exporter is currently available in
version 4.0.7 (April 23, 2014) and can be downloaded as a compressed archive
with source codes: flowmon-process-dns-4.tar.gz
This version of plugin is working with Flowmon Exporter 4.x .
Plugin compilation:
$ tar -xpzf flowmon-process-dns-4.tar.gz
$ cd flowmon-process-dns-4
$ make
Run example
flowmonexp -X /home/local/user/dns.so -I input-rawnetcap:device=eth2#eth3 -P dns:debug=y -E null
Parameters
debug=y/n | Switch on/off debug mode (default: same as flowmonexp) |
verbose=y/n | Switch on/off verbose mode (default: same as flowmonexp) |
all=y/n | Switch on/off parsing of ALL of present DNS fields |
Author
Michal Kováčik < ikovacik@fit.vutbr.cz >