DNSMonster : Passive DNS Capture/Monitoring Framework

DNSMonster is a passive DNS collection and monitoring built with Golang, Click house and Grafana: dnsmonster implements a packet sniffer for DNS traffic. It can accept traffic from a pcap file, a live interface or a dnstap socket, and can be used to index and store thousands of DNS queries per second (it has shown to be capable of indexing 200k+ DNS queries per second on a commodity computer).

It aims to be scalable, simple and easy to use, and help security teams to understand the details about an enterprise’s DNS traffic. dnsmonster does not look to follow DNS conversations, rather it aims to index DNS packets as soon as they come in. It also does not aim to breach the privacy of the end-users, with the ability to mask source IP from 1 to 32 bits, making the data potentially untraceable. Blogpost

IMPORTANT NOTE: The code before version 1.x is considered beta quality and is subject to breaking changes. Please check the release notes for each tag to see the list of breaking scenarios between each release, and how to mitigate potential data loss.

Main Features

• Can use Linux’s afpacket and zero-copy packet capture.
• Supports BPF
• Can fuzz source IP to enhance privacy
• Can have a pre-processing sampling ratio
• Can have a list of “skip” fqdns to avoid writing some domains/suffix/prefix to storage, thus improving DB performance
• Can have a list of “allow” domains to only log hits of certain domains in Clickhouse/Stdout/File
• Modular output with different logic per output stream. Currently stdout/file/clickhouse
• Hot-reload of skip and allow domain files
• Automatic data retention policy using ClickHouse’s TTL attribute
• Built-in dashboard using Grafana
• Can be shipped as a single, statically-linked binary
• Ability to be configured using Env variables, command line options or configuration file
• Ability to sample output metrics using ClickHouse’s SAMPLE capability
• High compression ratio thanks to ClickHouse’s built-in LZ4 storage
• Supports DNS Over TCP, Fragmented DNS (udp/tcp) and IPv6
• Supports dnstrap over Unix socket or TCP

Manual Installation

Linux

For afpacket v3 support, you need to use kernel 3.x+. Any Linux distro since 5 years ago is shipped with a 3.x+ version so it should work out of the box. The release binary is shipped as a statically-linked binary and shouldn’t need any dependencies and will work out of the box. If your distro is not running the pre-compiled version properly, please submit an issue with the details and build dnsmonster manually using this section Build Manually.

Windows

Windows release of the binary depends on npcap to be installed. After installation, the binary should work out of the box. I’ve tested it in a Windows 10 environment and it ran without an issue. To find interface names to give -devName parameter and start sniffing, you’ll need to do the following:

• open cmd.exe (probably as Admin) and run the following: getmac.exe, you’ll see a table with your interfaces’ MAC address and a Transport Name column with something like this: \Device\Tcpip_{16000000-0000-0000-0000-145C4638064C}
• run dnsmonster.exe in cmd.exe like this:

dnsmonster.exe \Device\NPF_{16000000-0000-0000-0000-145C4638064C}

Note that you should change \Tcpip from getmac.exe to \NPF inside dnsmonster.exe.

Since afpacket is a Linux feature and Windows is not supported, useAfpacket and its related options will not work and will cause unexpected behavior on Windows.