DNS Monitor - README

Author

• Name: Matej Hrachovec
• Login: xhrach06
• Date Created: 15 November 2024

Project Description

The dns-monitor tool is built to analyze DNS traffic from a selected network interface or read DNS messages from a PCAP file. It features both basic and detailed output modes, making it easy for users to view and interpret DNS queries and responses. The key functionalities include:

1. DNS Traffic Monitoring: Captures and analyzes DNS messages from a network interface or PCAP file.
2. Domain Name Extraction: Logs unique domain names encountered in DNS messages.
3. Domain Name Translations: Records translations of domain names to IPv4 and IPv6 addresses.

Supported DNS Record Types

The program currently supports the following DNS record types:

• A (IPv4 Address)
• AAAA (IPv6 Address)
• NS (Name Server)
• MX (Mail Exchange)
• SOA (Start of Authority)
• CNAME (Canonical Name)
• SRV (Service)

Limitations

• Only supports DNS over UDP.
• Does not support additional DNS record types such as PTR.
• Tested and verified to compile and run on GNU/Linux systems (merlin.fit.vutbr.cz and eva.fit.vutbr.cz).

Compilation

To compile the program, use the provided Makefile:

make

This command will produce the executable dns-monitor.

Usage

The program can be run with the following syntax:

./dns-monitor (-i <interface> | -p <pcapfile>) [-v] [-d <domainsfile>] [-t <translationsfile>]

Command-Line Arguments

• -i : Specifies the network interface to listen on (e.g., eth0).
• -p : Specifies the path to the PCAP file to process.
• -v: Enables verbose mode, providing detailed output of DNS messages.
• -d : Specifies the output file to save observed domain names.
• -t : Specifies the output file to save domain name translations to IP addresses.

Example Usage

1. Monitor DNS traffic on the eth0 interface in simplified mode:

./dns-monitor -i eth0

2. Analyze a PCAP file with verbose output, logging domain names to domains.txt:

./dns-monitor -p sample.pcap -v -d domains.txt

3. Monitor DNS traffic on eth0, saving domain name translations to translations.txt:

./dns-monitor -i eth0 -t translations.txt

4. Process a PCAP file and save both domain names and translations:

./dns-monitor -p capture.pcap -d domains.txt -t translations.txt

Output Format

The program supports two output formats:

Simplified Output

In simplified mode (without -v), each DNS message is displayed in a single line with the following format:

<YYYY-MM-DD> <HH:MM:SS> <SrcIP> -> <DstIP> (Q/R <QuestionCount>/<AnswerCount>/<AuthorityCount>/<AdditionalCount>)

Exaple:

2024-11-15 14:42:10 192.168.1.5 -> 8.8.8.8 (Q 1/0/0/0)
2024-11-15 14:42:11 8.8.8.8 -> 192.168.1.5 (R 1/1/2/2)

Verbose Output

In verbose mode (-v), detailed information for each DNS message is provided, including the following fields:

• Timestamp: Date and time of the message.
• SrcIP: Source IP address.
• DstIP: Destination IP address.
• SrcPort: Source port (e.g., UDP/53).
• DstPort: Destination port (e.g., UDP/54321).
• Identifier: DNS message identifier.
• Flags: Detailed flags (e.g., QR, OPCODE, AA, TC, RD, RA, AD, CD, RCODE).
• Sections for Question, Answer, Authority, and Additional are also printed with their corresponding records.

Example:

Timestamp: 2024-11-15 14:42:10
SrcIP: 192.168.1.5
DstIP: 8.8.8.8
SrcPort: UDP/54321
DstPort: UDP/53
Identifier: 0xA1B2
Flags: QR=0, OPCODE=0, AA=0, TC=0, RD=1, RA=0, AD=0, CD=0, RCODE=0

[Question Section]
example.com. IN A

[Answer Section]
example.com. 300 IN A 93.184.216.34

[Authority Section]
example.com. 172800 IN NS ns1.example.com.
example.com. 172800 IN NS ns2.example.com.

[Additional Section]
ns1.example.com. 86400 IN A 192.0.2.1
ns2.example.com. 86400 IN A 192.0.2.2
====================

List of Submited Files

• main.c: The main entry point of the application.
• dns-monitor.h: Contains shared definitions and function prototypes used across modules.
• dns-parser.c: Responsible for parsing DNS messages and extracting record details.
• packet-handler.c: Manages the capture of packets and extraction of DNS data.
• fragment-handler.c: Handles the reassembly of fragmented DNS messages.
• fragment.h: Header file for the fragment handling logic.
• file-handler.c: Provides file operations for logging domain names and translations.
• cleanup.c: Ensures all resources are properly released upon program termination.
• cleanup.h: Header for cleanup routines.
• Makefile: Instructions for compiling the project.
• README.md: This readme document with project details.
• manual.pdf: Complete user guide and technical documentation.

Testing

The dns-monitor program has undergone extensive testing using both live network traffic and sample PCAP files. The tests included:

• Checking domain name extraction in both normal and verbose output modes.
• Verifying that all supported DNS record types (A, AAAA, NS, MX, SOA, CNAME, SRV) are processed correctly.
• Using valgrind to detect and resolve memory leaks and buffer issues.

Additional Notes

• You may need elevated permissions (e.g., sudo) when listening on network interfaces.
• The program has been tested on various GNU/Linux systems and is expected to work on most Unix-like environments.
• Ensure you have libpcap and libresolv installed before compiling the code.