DNS Plugin

This plugin dissects DNS traffic and saves it in dump files as well export the information via NetFlow/IPFIX using the following information elements.

[NFv9 57677][IPFIX 35632.205][Len 256 varlen] %DNS_QUERY       DNS query
[NFv9 57678][IPFIX 35632.206][Len 2] %DNS_QUERY_ID             DNS query transaction Id
[NFv9 57679][IPFIX 35632.207][Len 1] %DNS_QUERY_TYPE           DNS query type (e.g. 1=A, 2=NS..)
[NFv9 57680][IPFIX 35632.208][Len 1] %DNS_RET_CODE             DNS return code (e.g. 0=no error)
[NFv9 57681][IPFIX 35632.209][Len 1] %DNS_NUM_ANSWERS          DNS # of returned answers
[NFv9 57824][IPFIX 35632.352][Len 4] %DNS_TTL_ANSWER           TTL of the first A record (if any)
[NFv9 57870][IPFIX 35632.398][Len 256 varlen] %DNS_RESPONSE    DNS response(s)

DNS plugin support option --dns-dump-dir <dump dir>. When this option is used, nProbe writes DNS dump files in <dump dir>. Multiple files are created in a hierarchical YYYY/MM/DD directory tree and each file is at most 1000-lines long.

An example of a created file, resulting from the dissection of dig google.it @ is:

# When[epoch]   DNS_Client[ascii:32]    AS[uint]        ClientCountry[ascii:32] ClientCity[ascii:32]    DNS_Server[ascii:32]    Query[ascii:64] NumRetCode[uint]        RetCode[ascii:16]       NumAnswer[uint] NumQueryType[uint]      QueryType[ascii:8]      TransactionId[
1593700139   0              google.it       0       NOERROR 1       1       A       1839         0       64      1       1       7.903   79


As this plugin dissects traffic packets, it is only available when nProbe is used in probe mode.