Skip to content
This repository has been archived by the owner on Jul 11, 2023. It is now read-only.

Grains: DNS

Jump to bottom
rsdy edited this page Mar 19, 2019 · 3 revisions

The DNS filter is an XDP filter that will listen for DNS answers that come back on the network. Because the packet filtering rules are quite loose, the collected data will include mDNS chatter, and other DNS-like payloads, too.

An example mDNS packet looks like this:

{'kind': 13,
'measurement': 6,
'name': 'dns.answer_count',
'tags': {'d_ip': '224.0.0.251',
          'd_port': '5353',
          'q_dnsaddr': '78e6d7e30b8f._airdrop._tcp.local.',
          'q_dnsclass': '32769',
          'q_dnsid': '0',
          'q_dnstype': '32769',
          's_ip': '192.168.114.77',
          's_port': '5353'},
'timestamp': 1532605450479899344}

And a regular DNS answer more like so:

{'kind': 13,
'measurement': 1,
'name': 'dns.answer_count',
'tags': {'d_ip': '192.168.114.133',
          'd_port': '59118',
          'q_addr': 's3.amazonaws.com.',
          'q_class': '1',
          'q_id': '5515',
          'q_type': '1',
          's_ip': '194.168.4.123',
          's_port': '53'},
'timestamp': 1532605521495260225}
Clone this wiki locally