Lord777
Professional
- Messages
- 2,578
- Reaction score
- 1,519
- Points
- 113
DNS Monster
Passive DNS collection and monitoring written in Golang with Clickhouse and Grafana: dnsmonster implements a packet sniffer for DNS traffic.
It can receive traffic from a pcap file, live interface or dnstap socket, and can be used to index and store thousands of DNS queries per second (it has been shown to be able to index 200k + DNS queries per second on a regular computer).
Its goal is to be scalable, simple, and easy to use, and to help security teams understand the details of an enterprise's DNS traffic.
dnsmonster does not seek to track DNS negotiations, its goal is to index DNS packets as soon as they arrive.
It also does not seek to compromise the privacy of end users by being able to mask the source IP address from 1 to 32 bits, making the data potentially untraceable.
IMPORTANT NOTE: Code prior to version 1.x is considered beta and is subject to change. Please see the release notes for each tag for a list of hacking scenarios between each release, and how to mitigate potential data loss.
Key features
github.com
Passive DNS collection and monitoring written in Golang with Clickhouse and Grafana: dnsmonster implements a packet sniffer for DNS traffic.
It can receive traffic from a pcap file, live interface or dnstap socket, and can be used to index and store thousands of DNS queries per second (it has been shown to be able to index 200k + DNS queries per second on a regular computer).
Its goal is to be scalable, simple, and easy to use, and to help security teams understand the details of an enterprise's DNS traffic.
dnsmonster does not seek to track DNS negotiations, its goal is to index DNS packets as soon as they arrive.
It also does not seek to compromise the privacy of end users by being able to mask the source IP address from 1 to 32 bits, making the data potentially untraceable.
IMPORTANT NOTE: Code prior to version 1.x is considered beta and is subject to change. Please see the release notes for each tag for a list of hacking scenarios between each release, and how to mitigate potential data loss.
Key features
- Can use Linux afpacket and zero-copy packet capture.
- Supports BPF
- Can fuzz the original IP address for increased privacy
- May have a sampling rate before processing
- May have fqdns “skip” list to avoid writing some domains / suffixes / prefixes to storage, thereby improving database performance
- May have a list of “allowed” domains to only log hits for specific domains in Clickhouse / Stdout / File.
- Modular output with different logic for each output stream. Currently stdout / file / clickhouse
- Hot loading of admitting and allowing domain files
- Automatic data retention policy using the ClickHouse TTL attribute
- Embedded dashboard using Grafana
- Can be supplied as a single statically linked binary file
- Configurable using Env variables, command line options or config file
- The ability to select output metrics using the ClickHouse's SAMPLE function
- High compression ratio thanks to built-in LZ4 storage in ClickHouse
- Supports DNS over TCP, fragmented DNS (udp / tcp) and IPv6.
- Dnstrap support over Unix socket or TCP
GitHub - mosajjal/dnsmonster: Passive DNS Capture and Monitoring Toolkit
Passive DNS Capture and Monitoring Toolkit. Contribute to mosajjal/dnsmonster development by creating an account on GitHub.
github.com
