dns-oarc / dnsjit Goto Github PK
View Code? Open in Web Editor NEWEngine for capturing, parsing and replaying DNS
License: GNU General Public License v3.0
Engine for capturing, parsing and replaying DNS
License: GNU General Public License v3.0
The own PCAP parser in input.fpcap
and input.mmpcap
needs to translate the link type found in the PCAP to the proper DLT, see https://github.com/the-tcpdump-group/libpcap/blob/90543970fd5fbed261d3637f5ec4811d7dde4e49/pcap-common.c#L1212 .
If I feed drool respdiff a pcap with 1909 packet or more it produces the following error:
output.respdiff[0x40688428] fatal: mdb_put meta.version failed
lib.tcpreasm
?Support for TCP fast open is missing in underlying libuv library (libuv/libuv#1136) and its implementation would be quite complex.
core.object.udp
core.object.tcp
core.object.payload
core.object.dns
nil
is returned instead of 0-length payload in non-blocking mode of TCP client.
pcap_dump_open()
pcap_dump_close()
pcap_dump_flush()
pcap_dump_ftell()
fixed
, set a fixed nanosecond pause between packetsRFC7918 has not been implemented
:map_whole(true)
MAP_HUGETLB
, MAP_HUGE_2M
and MAP_HUGE_1GB
Certificates aren't verified, since checking that isn't really relevant to the primary purpose of the tool.
However, adding the possibility to select between opportunistic and strict mode RFC8310 might be useful for certain use cases, as well as enforcing strict mode for HTTP.
Related to DNS-OARC/drool#80:
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking whether gcc and cc understand -c and -o together... yes
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking for ar... ar
checking the archiver (ar) interface... ar
./configure: line 4358: syntax error near unexpected token `disable-static'
./configure: line 4358: `LT_INIT(disable-static)'
centos version: CentOS Linux release 7.7.1908 (Core)
filter.thread
to core.channel
fast
modesafe
mode with shared read/write positionseven
modewant_write
, want_read
core_object_copy()
uncast()
to all objects to cast it back to core_object_t*
free()
to all objectsRework logging so that there are 3 levels of settings:
When logging, if the objects log level is not set the check if the modules log level is set or use the global settings.
Overhaul all code to:
UDP: it should be possible to configure the client to re-transmit the query after a certain period.
Depends on #158
rehandshake / reauthentication hasn't been implemented. I don't see it as very relevant for the purpose of the tool - so this is most likely wontfix, just documenting it.
When using tcpcli
, it seems that every response it produces is identical to the first one, regardless of the query sent. The same code works as expected when using udpcli
instead.
Example:
dnsjit examples/replay.lua -Rt
query:
id: 742
...
questions: class type labels
IN AAAA <12>www.<16>japonec.<24>eu.
...
response:
id: 742
...
questions: class type labels
IN AAAA <12>www.<16>japonec.<24>eu.
...
query:
id: 33778
...
questions: class type labels
IN AAAA <12>www.<16>canoe42.<24>ca.
...
response:
id: 742
...
questions: class type labels
IN AAAA <12>www.<16>japonec.<24>eu.
...
query:
id: 10831
...
questions: class type labels
IN AAAA <12>ic.<15>mestodobruska.<29>cz.
...
response:
id: 742
...
questions: class type labels
IN AAAA <12>www.<16>japonec.<24>eu.
...
pcap_create()
pcap_activate()
pcap_findalldevs()
pcap_lookupdev()
pcap_set_snaplen()
pcap_set_promisc()
pcap_set_rfmon()
pcap_can_set_rfmon()
pcap_set_timeout()
pcap_set_buffer_size()
pcap_major_version()
pcap_minor_version()
pcap_setfilter()
pcap_setdirection()
pcap_stats()
pcap_statustostr()
pcap_lib_version()
RFC8446#section-2.3 has not been implemented.
It would be useful to match QID of the response and ignore mismatching DNS messages. Currently, if an unexpected packet arrives while waiting for a response, it will be accepted.
This can happen if the server doesn't respond within the configured dnsjit timeout, but the response still arrives later. The original query will be marked as timeout, but when the answer still arrives later, it will be assigned to the current ongoing query. Its response will in turn be assigned to the next query. This will effectively shift all the remaining responses, causing them to be assigned to incorrect queries.
Add the possibility to retry a UDP query that has TC=1 in the answer over TCP.
Depends on #158
lib.ipfrag
?contrib/respdiff-dnsjit2answers.py
msec
, response timemalloc()
instead of LuaJIT's metatype constructorIn the FreeBSD section you mention the manual install of libck. On FreeBSD, libck can be installed by
pkg install devel/concurrencykit
Maybe adapt the README ?
core.object.dns
core.object.tcp
connect()
and use it in new object if host
and port
is givennonblocking(bool)
default truewait_on_reply(bool)
default false, if true then clear recvbuf before sendingrecvfrom()
and receiverinput.example
filter.example
output.example
Related to DNS-OARC/drool#80
mask = -1 >> (len - need)
filter.layer
to use mask (speed up ~10-15%)connect()
and use it in new object if host
and port
is givennonblocking(bool)
default truewait_on_reply(bool)
default false, if true then clear recvbuf before sendingautoreconnect(bool)
default falsereconnect()
recvfrom()
and receiver_produce()
to be able to handle timeouts during length retrievalCurrently, it's not possible to push an empty string to a thread, because it has zero length. Attempting to do so triggers a fatal error.
Passing an empty string may be useful in some cases, e.g. when using it as a default value for getopt.
#!/usr/bin/env dnsjit
local thread = require("dnsjit.core.thread")
local getopt = require("dnsjit.lib.getopt").new({
{ "s", "string", "", "optional string", "?" },
})
getopt:parse()
local opt_string = getopt:val("string")
local thr = thread.new()
thr:push(opt_string)
core/thread.c[176] core.thread[0xdeadbeef] fatal: len is zero
Queries are sent over TLS without any padding.
The harder part would be to request server padding via RFC 7830, since that would require modifying the queries themselves.
output.udpcli
/output.tcpcli
to a simpler socket()
output that does not understand DNS, that logic can be handled elsewhereRelated to DNS-OARC/drool#80:
It seems that simple make install
does not install all necessary files:
$ ./dumpdns-qr.lua /home/pspacek/pcaps/test.pcap
<< dnsjit v0.9.3 https://github.com/DNS-OARC/dnsjit/issues >>
core critical: ./dumpdns-qr.lua: ./dumpdns-qr.lua:9: module 'dnsjit.core.object' not found:
no field package.preload['dnsjit.core.object']
no file './dnsjit/core/object.lua'
no file '/usr/share/luajit-2.1.0-beta3/dnsjit/core/object.lua'
no file '/usr/local/share/lua/5.1/dnsjit/core/object.lua'
no file '/usr/local/share/lua/5.1/dnsjit/core/object/init.lua'
no file '/usr/share/lua/5.1/dnsjit/core/object.lua'
no file '/usr/share/lua/5.1/dnsjit/core/object/init.lua'
no file './dnsjit/core/object.so'
no file '/usr/lo
$ ls /usr/local/share/lua/5.1/dnsjit
ls: cannot access '/usr/local/share/lua/5.1/dnsjit': No such file or directory
I did not specify any arguments to configure
/make
/make install
.
To allow retry logic (or TCP fallback), the code has to be refactored to allow associating multiple queries with a single request.
Since linked-lists are used in multiple places (e.g. queries associated with connection), it might be worth investigating whether a different data structure with faster lookup would be beneficial.
The C-DNS (RFC8618) format looks quite useful for storing and processing large amount of DNS data.
Are there any plans to add reader/writer for C-DNS?
The output/dnssim component should support sending queries over IPv4 as well.
core.channel
to pass objectsIf a connection is closed while there were pending queries, how should it be handled?
Currently, it stays dormant until it either times out, or another query triggers a new connection and the orphaned query is re-sent over that connection as well.
Re-sending orphaned queries by immediately by establishing new connections would have to have an upper limit of attempts and/or backoff time.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.