Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add to roadmap - AXFR & IXFR #16

Open
elhoim opened this issue Feb 25, 2012 · 6 comments
Open

Add to roadmap - AXFR & IXFR #16

elhoim opened this issue Feb 25, 2012 · 6 comments

Comments

@elhoim
Copy link

elhoim commented Feb 25, 2012

Add AXFR & IXFR RR types
@gamelinux
Copy link
Owner

To do this, I will need pcap of the above mentioned traffic.

@elhoim
Copy link
Author

elhoim commented Feb 25, 2012

http://pcapr.net/browse?q=AXFR
http://pcapr.net/browse?q=IXFR

On Sat, Feb 25, 2012 at 20:01, Edward Fjellskål
[email protected]
wrote:

To do this, I will need pcap of the above mentioned traffic.

Reply to this email directly or view it on GitHub:
#16 (comment)

@gamelinux
Copy link
Owner

Thanks, now I just have to remember my pcapr login :)

@gamelinux
Copy link
Owner

./passivedns -X46CDNPRSOn -l - -r DNS-AXFR.pcap
...
1174885336||10.157.6.234||10.157.6.140||IN||yourmom.com.||SOA||snake.||3600
1174885336||10.157.6.234||10.157.6.140||IN||yourmom.com.||NS||snake.||3600
...

I cant see that there is something to do here. The Answer says its AXFR, but that really dont contain any usefull data, so I skip that. But its the other data in the DNS payload that holds the interesting information, like in that AXFR pcap, it holds the SOA and NS, which we catch with the "O" and "n" flag.

Is there something more I should look into here you think ?

@elhoim
Copy link
Author

elhoim commented Mar 19, 2012

Yeah, but what about a line mentioning that there is an AFXR/IXFR ?
It needs to have a different format than the other lines to make sense.
Or put field(s) that have no meaning to a "NULL" value, ie:
1174885336||10.157.6.234||10.157.6.140||IN||yourmom.com.||AFXR||snake.||-

On Mon, Feb 27, 2012 at 14:36, Edward Fjellskål
[email protected]
wrote:

./passivedns -X46CDNPRSOn -l - -r DNS-AXFR.pcap
...
1174885336||10.157.6.234||10.157.6.140||IN||yourmom.com.||SOA||snake.||3600
1174885336||10.157.6.234||10.157.6.140||IN||yourmom.com.||NS||snake.||3600
...

I cant see that there is something to do here. The Answer says its AXFR, but that really dont contain any usefull data, so I skip that. But its the other data in the DNS payload that holds the interesting information, like in that AXFR pcap, it holds the SOA and NS, which we catch with the "O" and "n" flag.

Is there something more I should look into here you think ?

Reply to this email directly or view it on GitHub:
#16 (comment)

@gamelinux
Copy link
Owner

Different format it needs, yes.
1174885336||10.157.6.234||10.157.6.140||IN||yourmom.com.||AFXR||snake.||-
Will not be the best in my eyes, as the info that snake.yourmom.com is a SOA record is not there.

So, We are looking at the answers from the servers, we could do something like:
1174885336||10.157.6.234||10.157.6.140||IN||yourmom.com.||SOA||snake.||0||AFXR

Where the last field could be additional information, that it was an anser to an AFXR.

But that said, on the roadmap, I would like to implement a way so that the user can control all the output.
The default output would be set, but if the user need or want something extra, it should be easy to add features
without breaking existing setups etc., Like:
./passivedns -f "%ts||%cip||%sip||%rrc||%qu||%qt||%an||%ttl"

Which would be our current format.

Additional fields could be to output

  • the flags set by the server
  • count (how many times a domain has been queried)
  • AFXR/IXFR
  • Others....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gamelinux @elhoim