gamelinux / passivedns Goto Github PK

The first hurdle is lack of openssl libraries. It can be overcome by pointing to OSX native openssl libraries

./configure --with-openssl-includes=/usr/local/opt/openssl/include --with-openssl-libraries=/usr/local/opt/openssl/lib

But then make fails with the following error -

make 
Making all in src
/Applications/Xcode.app/Contents/Developer/usr/bin/make  all-am
make[1]: Nothing to be done for `all-am'.

I've looked up license in file headers in src but would be nice to add explicit COPYING or LICENSE file the same way it's done in many other repo.

While we're at it - any specific reason not to use GPLv3+ instead of v2?

I wasn't able to log 802.1q tagged packets until I updated the packet filter:

--- a/src/passivedns.c
+++ b/src/passivedns.c
@@ -1066,7 +1066,7 @@ int main(int argc, char *argv[])
     config.inpacket = config.intr_flag = 0;
     config.dnslastchk = 0;
     //char *pconfile;
-#define BPFF "port 53"
+#define BPFF "(vlan and port 53) or (not vlan and port 53)"
     config.bpff = BPFF;
     config.logfile = "/var/log/passivedns.log";
     config.logfile_nxd = "/var/log/passivedns.log";

In the functions print_passet() and print_passet_err() the log files are constantly opened and closed when writing new records.

A much more efficient way would be to open the file handles once and keep using that for writing the log records. Maybe the global config object could be used for that.

Also a SIGHUP handler would be nice to have so passivedns can be signaled for closing and re-opening of the log files. (for log rotation purposes)

Following the install instructions when I get here autoreconf --install I get the following:

~/passivedns# autoreconf --install
configure.ac:6: installing './compile'
configure.ac:211: installing './config.guess'
configure.ac:211: installing './config.sub'
configure.ac:5: installing './install-sh'
configure.ac:5: installing './missing'
src/Makefile.am:12: warning: deprecated feature: target 'passivedns' overrides 'passivedns$(EXEEXT)'
src/Makefile.am:12: change your target to read 'passivedns$(EXEEXT)'
/usr/share/automake-1.14/am/program.am: target 'passivedns$(EXEEXT)' was defined here
src/Makefile.am:5:   while processing program 'passivedns'
src/Makefile.am: installing './depcomp'

I followed the output and made this change to src/MakeFile.am on line 12, replacing passivedns with passivedns$(EXEEXT) and then autoreconf --install completed without issue.

Does passivedns support fragmented IP packets? Or what else fishy is going on here?

It seems they don't get handled too wel, eg
dig -t tlsa _443._tcp.www.dougbarton.us +dnssec @8.26.56.26
doesn't get parsed properly. Wireshark says more fragments flag is set.

However this does get parsed properly (note: same query different DNS server, different answer)
dig -t tlsa _443._tcp.www.dougbarton.us +dnssec @8.8.8.8
the size of the packet is much smaller due to the omission of the additional section.
(436 instead of 1476 bytes)

Not quite sure what this issue is, so i'm gonna describe it with what i have now, and if you have anything more i should check i can gladly do that.

After running for a while, i see that alot of my passivends installations stop. Well, the application has not quit, but it gives no ouput to the passivedns.log file. There was disk space, DNS traffic on the wire, but no output to the log.

Version:
[] PassiveDNS 1.2.0
[] By Edward Bjarte Fjellskål [email protected]
[] Using libpcap version 1.5.3
[] Using ldns version 1.6.17

OS: CentOS release 6.7 (Final), 3.10.90-1.

Running strace just gave this output, and it did nothing after that, just standing there.

strace -p pidof passivedns
Process 10859 attached
futex(0x30a5b8fe80, FUTEX_WAIT, 2, NULL

Adding if it is TCP or UDP based
Could be useful if it is needed to do some stats/detection

Add the vlan field to the logs

Add an option on the command line to specify the format in the logfile.

Add AXFR & IXFR RR types

Be able to read read a bach of gzipped files etc from a log dir.

IE: # zcat /var/log/passivedns-archive/*gz | pdns2db.pl --file -

Where "-" means stdin etc.

(simple solution :)

I would like to have your opinion on a new feature. Do you think you could agree to add a plugin system to handle output of passivedns ?

There is a new similar system in dnscap. In command line, you can pass plugins (.so) with -P argument. A plugin is a dynamic library. Each plugin can implement functions :

void <plugin_name>_usage();
void <plugin_name>_getopt(int *argc, char **argv[]);
void <plugin_name>_start();
void <plugin_name>_stop();

and must implement an output function :

void <plugin_name>_output(pdns_record *l, pdns_asset *p, ldns_rr *rr, ldns_rdf *lname, uint16_t rcode);

With this system, we can implement some outputs like a massive inject in a database with better performance than parsing log file.

Do you think you can integrate a patch with this feature ?

kill -USR1 pidnum

should call print_pdns_stats()

probably would have to write to a log file and be read there, but if it went to standard out that would be nice.

It would be incredibly helpful if passivedns logged requests which returned NXDOMAIN. I know this is on your roadmap, hoped a ticket might push you into prioritizing it a bit ;)

If DNS responses for the same answer value and record type have different CLASS values, the first CLASS value seen will be reproduced for all subsequent occurrences of that (rr_type, answer) pair. In high-volume environments, we have observed this behavior incorrectly reporting CLASS values for later DNS responses.

Example (timestamps replaced, IP addresses omitted):

1111111111.000000||XXX.XXX.XXX.XXX||XXX.XXX.XXX.XXX||32769||.||NS||j.root-servers.net.||518400||1
1111111112.000000||XXX.XXX.XXX.XXX||XXX.XXX.XXX.XXX||32769||.||NS||j.root-servers.net.||518400||1
1111111113.000000||XXX.XXX.XXX.XXX||XXX.XXX.XXX.XXX||32769||.||NS||j.root-servers.net.||518400||1
1111111114.000000||XXX.XXX.XXX.XXX||XXX.XXX.XXX.XXX||32769||.||NS||j.root-servers.net.||518400||1

The above data was generated from packet capture where only the first response at time 1111111111.000000 had CLASS 32769, and all subsequent responses had class IN.

Simply updating the CLASS value for a given (rr_type, answer) pair is likely to be the simplest solution, however this would break cache timing for (rr_type, answer) pairs with legitimately different CLASS values. Based on the DNS spec, records with different CLASS values are actually different records. They should probably be tracked entirely separately.

Run into a small issue I think it's worth noting when running search-pdns.pl

missing module 'Date::Simple', easy fix: apt-get install libdate-simple-perl

I encountered this when running it on latest Ubuntu: 11.10.

Thanks for the good work, love the tool.

This appears to be a regression. A binary compiled on November 25 does not crash.

Encountered on a test CentOS 7 DNS server. Valid queries are recorded in /var/log/passivedns.log, but NXDOMAIN and SERVFAIL cause passivedns freshly compiled from git HEAD with default options to crash.

(gdb) run -P 5 -u 990 -g 990 -i eth0 -T /var/empty -X 46CPxsr
Starting program: /usr/local/bin/passivedns -P 5 -u 990 -g 990 -i eth0 -T /var/empty -X 46CPxsr

[] PassiveDNS 1.2.0
[] By Edward Bjarte Fjellskål [email protected]
[] Using libpcap version 1.5.3
[] Using ldns version 1.6.16
[] Device: eth0
[] Chrooting to dir '/var/empty'..
[] Dropping privs...
[] Sniffing...

Program received signal SIGSEGV, Segmentation fault.
0x0000000000405922 in print_passet ()
(gdb) backtrace
#0 0x0000000000405922 in print_passet ()
#1 0x00000000004072a1 in cache_dns_objects ()
#2 0x0000000000407bb8 in dns_parser ()
#3 0x0000000000404f12 in got_packet ()
#4 0x00007ffff7ba299e in pcap_handle_packet_mmap (handle=handle@entry=0x695250,

callback=callback@entry=0x404b10 <got_packet>, user=user@entry=0x0, frame=frame@entry=0x7ffff6b36000 "\001",
tp_len=<optimized out>, tp_mac=<optimized out>, tp_snaplen=126, tp_sec=1453346274, tp_usec=471686,
tp_vlan_tci_valid=0, tp_vlan_tci=0) at ./pcap-linux.c:4361

#5 0x00007ffff7ba6ae1 in pcap_read_linux_mmap_v2 (handle=0x695250, max_packets=-1, callback=0x404b10 <got_packet>,

user=0x0) at ./pcap-linux.c:4463

#6 0x00007ffff7bab19d in pcap_loop (p=0x695250, cnt=-1, callback=0x404b10 <got_packet>, user=0x0) at ./pcap.c:862
#7 0x0000000000402683 in main ()

(tcpdump sample)

21:19:46.276349 IP (tos 0x0, ttl 63, id 16935, offset 0, flags [none], proto UDP (17), length 131)
137.22.198.40.domain > 137.22.1.38.41158: [udp sum ok] 49202 NXDomain* q: A? ww424.google.com.carleton.edu. 0/1/0 ns: carleton.edu. [1h] SOA ns.carleton.edu. nic-tech-contact.carleton.edu. 1453345202 1500 600 1209600 7200 (103)
21:19:46.276645 IP (tos 0x0, ttl 64, id 15894, offset 0, flags [none], proto UDP (17), length 79)
137.22.1.38.56286 > 137.22.198.40.domain: [bad udp cksum 0xd9c7 -> 0x861a!] 6205+ A? ww424.google.com.ads.carleton.edu. (51)
21:19:46.276859 IP (tos 0x0, ttl 63, id 16936, offset 0, flags [none], proto UDP (17), length 79)
137.22.198.40.domain > 137.22.1.38.56286: [udp sum ok] 6205 ServFail q: A? ww424.google.com.ads.carleton.edu. 0/0/0 (51)

I am running passivedns -f SMcsCQTAtn -C 5 -P 5 -X 46CPxsr

For TXT/MX/SRV/SOA lookups, I am only seeing logs for error responses: NXDOMAIN, REFUSED.

A/AAAA/CNAME/PTR are logging just fine.

Made modifications to track the timestamp in the logfiles as YYYY-MM-DD HH:MM:SS
'field' parameter 'H' adds this capability.

(figured out how to do a pull request, i will this to you in a bit)

Hi,
First of all, I'd like to thank for sharing passivedns with us. It is , without any doubt, an amazing work. I received a pcap file (all dns) and I can not use your tool to open it. Here is the output:

-- Total DNS records allocated : 0
-- Total DNS assets allocated : 0
-- Total DNS packets over IPv4/TCP : 0
-- Total DNS packets over IPv6/TCP : 0
-- Total DNS packets over TCP decoded : 0
-- Total DNS packets over TCP failed : 0
-- Total DNS packets over IPv4/UDP : 0
-- Total DNS packets over IPv6/UDP : 0
-- Total DNS packets over UDP decoded : 0
-- Total DNS packets over UDP failed : 0
-- Total packets received from libpcap : 0
-- Total Ethernet packets received : 0
-- Total VLAN packets received : 0

I can use tshark, tcpdump to open the file but I can not use passivedns for some reasons.
I'd highly appreciate it if you could consider my request asap.

With version 1.0, The timeformat is: unixtime.microseconds

The fields in passivedns v1.0 should be looked upon as two separate fields, not like one complete number.

If you look at it as one number, say:

• 1289764162.84338 # passivedns timestamp in two fields
  This would be the equivalent to
• 1289764162.084338 # timestamp as one number

So if you compare the two timestamps directly, there will be a 0.759042 second difference!

So what would people think should be the normal behaver here. Should we pad the usec with zeros? Change the delimiter for the passivedns timestamp from "." to ":" or event "||" ?

Suggestions with arguments accepted here, and Ill update this for the next release.

Help says default bpf is "udp and port 53", code says it is "port 53"

Drop privileges only after having created the pid file

make
Making all in src
make[1]: Entering directory /root/passivedns/src' gcc -O3 -c passivedns.c -o passivedns.o gcc -O3 -c dns.c -o dns.o dns.c: In function 'cache_dns_objects': dns.c:361: error: 'LDNS_RR_TYPE_NSEC3PARAM' undeclared (first use in this function) dns.c:361: error: (Each undeclared identifier is reported only once dns.c:361: error: for each function it appears in.) dns.c: In function 'print_passet': dns.c:748: error: 'LDNS_RR_TYPE_NSEC3PARAM' undeclared (first use in this function) make[1]: *** [dns.o] Error 1 make[1]: Leaving directory/root/passivedns/src'
make: *** [all-recursive] Error 1

any idea?

tkx

config files do not have options to enable the two syslog outputs

Rather than litter the filesystem with core files, here's a simple patch that will exit cleanly when the capture device/file can not be read:

--- passivedns.c.orig   2012-05-02 17:29:22.000000000 +0000
+++ passivedns.c        2012-05-02 17:30:12.000000000 +0000
@@ -1142,6 +1142,11 @@

     }

+    if (config.handle == NULL) {
+       game_over();
+       return (1);
+    }
+
     /** segfaults on empty pcap! */
     if ((pcap_compile(config.handle, &config.cfilter, config.bpff, 1, config.net_mask)) == -1) {
             olog("[*] Error pcap_compile user_filter: %s\n", pcap_geterr(config.handle));

When running on an OpenVZ container, passivedns fails:

# passivedns -i venet0

[*] PassiveDNS 1.1.3
[*] By Edward Bjarte Fjellskål <[email protected]>
[*] Using libpcap version 0.9.4
[*] Using ldns version 1.6.16
[*] Device: venet0
[*] Error errbuf: arptype 65535 not supported by libpcap - falling back to cooked socket

# echo $?
1

I have a minor patch that will be submitted via PR shortly.

I've created a "shar" with the applicable service 'rc.d' wrappers, and make files to install passivedns on FreeBSD.

It uses a "hash ref" as there has not been a release in over 2 years.

I've submitted the request and it can be tracked here:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=198499

The How-it-works.txt describes handling of vlan.
Add the fact that the way it handles it, is by checking the traffic inside them.

I was not sure when reading the doc, so i quickly checked the source.

Can you add an option to listen to multiple interface. In some case,the DNS server use one interface for incoming,and another interface for outgoing.

Like the opposite of --skiplist. Perhaps make an --includelist and --includelist-pcre. That way if all a user wants to do is to watch for certain domains or domain patterns being queried for, their db can consist of just the matched stuff.

Such as NSEC, NSEC3, DS, DNSKEY, NSEC3PARAM, RRSIG,TLSA, TSIG.

An example case:

$ dig test.stage.cs1.force.com.

; <<>> DiG 9.8.1-P1 <<>> test.stage.cs1.force.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1022
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;test.stage.cs1.force.com.      IN      A

;; ANSWER SECTION:
test.stage.cs1.force.com. 300   IN      CNAME   cs1.force.com.
cs1.force.com.          300     IN      CNAME   cs1-sjl.force.com.
cs1-sjl.force.com.      300     IN      CNAME   cs1-sjl.g.force.com.
cs1-sjl.g.force.com.    115     IN      A       204.14.234.124
cs1-sjl.g.force.com.    115     IN      A       204.14.235.27

;; Query time: 83 msec
;; SERVER: x.x.x.x#53(x.x.x.x)
;; WHEN: Thu Feb 28 15:09:58 2013
;; MSG SIZE  rcvd: 134

What passivedns logs:

1362092919.578449||y.y.y.y||z.z.z.z||IN||test.stage.cs1.force.com.||CNAME||cs1.force.com.||65||1
1362092919.578449||y.y.y.y||z.z.z.z||IN||test.stage.cs1.force.com.||CNAME||cs1-sjl.force.com.||65||1
1362092919.578449||y.y.y.y||z.z.z.z||IN||test.stage.cs1.force.com.||CNAME||cs1-sjl.g.force.com.||65||1
1362092919.578449||y.y.y.y||z.z.z.z||IN||test.stage.cs1.force.com.||A||204.14.234.124||120||1
1362092919.578449||y.y.y.y||z.z.z.z||IN||test.stage.cs1.force.com.||A||204.14.235.27||120||1

What I think passivedns should log

1362092919.578449||y.y.y.y||z.z.z.z||IN||test.stage.cs1.force.com.||CNAME||cs1.force.com.||65||1
1362092919.578449||y.y.y.y||z.z.z.z||IN||cs1.force.com.||CNAME||cs1-sjl.force.com.||65||1
1362092919.578449||y.y.y.y||z.z.z.z||IN||cs1-sjl.force.com.||CNAME||cs1-sjl.g.force.com.||65||1
1362092919.578449||y.y.y.y||z.z.z.z||IN||cs1-sjl.g.force.com.||A||204.14.234.124||120||1
1362092919.578449||y.y.y.y||z.z.z.z||IN||cs1-sjl.g.force.com.||A||204.14.235.27||120||1

Add detection/warning on rarely used/obsoleted stuff:
HINFO/MINFO/WKS/* RR types
Classes other than IN
Dynamic DNS updates à la RFC2136

Not sure this is an issue or working as designed.

However, it seems that we miss many of the client IP queries/logs because we enabled cache. To reduce bandwidth used for logs we very much want to keep cache enabled though.

We see our DNS resolver's query for "bad domain" to the Internet but we don't see the IP generating it. In many cases at least. When disabling cache it shows up.

Is that working as designed, regarding cache?

Running with below:
/usr/sbin/passivedns -i eth0 -X 46CDNPRSxs -P 3600 -y -Y -D -p /var/run/passivedns.pid

/usr/sbin/passivedns -V

[] PassiveDNS 1.1.3
[] By Edward Bjarte Fjellskål [email protected]
[] Using libpcap version 1.4.0
[] Using ldns version 1.6.17

Issue: dns requests contained within mirrored traffic sent to host running passivedns are not showing up with passivedns log

following setup

tomato router (192.168.1.1) with iptables rules for a particular host (192.168.1.1.124) on my network to mirror all traffic to a raspberry pi (192.168.1.128). rapsberry pi is running passivedns listening on eth0

TCPDUMP Output on raspberry pi from "wget bearsalive.com" run on my 192.168.1.124 host
02:22:04.608185 IP 192.168.1.124.46413 > 8.8.8.8.53: 55093+ A? bearalive.com. (31)

However there is no entry made to the /var/log/passivedns.log file

http://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS

I'm running passivedns 0.3.1 from githib on my Ubuntu 10.04 server (64 bit) and I can't get pdns2db.pl to alert on dns queries that are for static domains in a blacklist file.

Here is what I did:

root@host:~# passivedns -i eth0 -D
[] Running passivedns 0.3.1
Using libpcap version 1.0.0
[] Device: eth0
[*] Daemonizing...

root@host:~# pdns2db.pl --alertlog /tmp/alert.log --blacklist /tmp/suspiciousdomains_High.txt --daemon
[] Starting pdns2db.pl
[] Daemonizing...

I picked a random suspicious domain from /tmp/suspiciousdomains_High.txt (www.alzexa.com) and tried to ping it to generate a pdns db record and hopfully an alert record in /tmp/alert.log. The DNS lookup was successful, and a record made it to the db:

root@host:~# search-pdns.pl -s "www.alzexa.com"
=== PassiveDNS ===

   FirstSeen     |       LastSeen       |  TYPE |  TTL   |               Query                |  Answer

2012-02-06 18:31:40 | 2012-02-06 18:31:40 | CNAME | 3600 | www.alzexa.com | alzexa.com
2012-02-06 18:31:40 | 2012-02-06 18:31:40 | A | 3600 | www.alzexa.com | 174.36.237.98
Displayed 2 (sql limit: 100)

However, nothing was written to /tmp/alert.log

I confirmed that this static domain is in the blacklist, and it is:

root@host:~# grep "www.alzexa.com" /tmp/suspiciousdomains_High.txt
www.alzexa.com

I redid this process with verbosity and logging turned on in pdns2db.pl, and "[D] www.alzexa.com" showed up in the list of static domains loaded at script start time.

And when I checked /var/log/passivedns-run.log for the debug log it seems to think that www.alzexa.com doesn't match

[D] No static match on domain: www.alzexa.com or alzexa.com
[D] No pcre match on domain: www.alzexa.com or alzexa.com
[D] No static match on domain: www.alzexa.com or alzexa.com
[D] No pcre match on domain: www.alzexa.com or alzexa.com
[D] No static match on domain: www.alzexa.com or alzexa.com
[D] No pcre match on domain: www.alzexa.com or alzexa.com
[D]
INSERT INTO pdns (
QUERY,RR,MAPTYPE,ANSWER,TTL,LAST_SEEN,FIRST_SEEN
) VALUES (
'www.alzexa.com','IN','CNAME','alzexa.com','3600',FROM_UNIXTIME(1328571100),FROM_UNIXTIME(1328571100)
) ON DUPLICATE KEY UPDATE LAST_SEEN=FROM_UNIXTIME(1328571100), TTL = '3600'

[D] No static match on domain: www.alzexa.com or 174.36.237.98
[D] No pcre match on domain: www.alzexa.com or 174.36.237.98
[D] No static match on domain: www.alzexa.com or 174.36.237.98
[D] No pcre match on domain: www.alzexa.com or 174.36.237.98
[D] No static match on domain: www.alzexa.com or 174.36.237.98
[D] No pcre match on domain: www.alzexa.com or 174.36.237.98
[D]
INSERT INTO pdns (
QUERY,RR,MAPTYPE,ANSWER,TTL,LAST_SEEN,FIRST_SEEN
) VALUES (
'www.alzexa.com','IN','A','174.36.237.98','3600',FROM_UNIXTIME(1328571100),FROM_UNIXTIME(1328571100)
) ON DUPLICATE KEY UPDATE LAST_SEEN=FROM_UNIXTIME(1328571100), TTL = '3600'

Is there something else I should try next?

Only the hostname component of MX and SRV records is logged. Example of a SRV:

_sip._udp.prod.ringto.bwapp.bwsip.io. 163 IN SRV 5 50 9060 registrar01.registration.bandwidth.com.

Quoted TXT records like Gmail.com (or anywhere with SPFv1) do get logged in their entirety.

Change default BPF to '(udp and port 53) or (tcp and port 53)' since it handles udp and tcp

Hi,
I am trying to update my existing passivedns. While recompiling i get following error.
checking for ldns/ldns.h... no
-e
ERROR! ldns headers not found

Al thought i have all dependencies installed

bash-3.2$ brew install autoconf ldns jansson
Warning: autoconf-2.69 already installed
Warning: ldns-1.6.17_1 already installed
Warning: jansson-2.7 already installed

I pulled latest update already but still it cause error.

I am using OSX 10.11.2 EI Captain.

Thanks

Hey there,

I've got a problem while using passivedns. About 97% DNS packets are marked as "failed" in statistics.

I compiled pdns with DEBUG and found that it comes from ldns: [dns.c:94(dns_parser)] [D] ldns_wire2pkt status: 48.

What's wrong with my traffic and is it possible to solve?

Appreciate any help

Thanks!

Add timestamps in the run log.

From using passivedns, I can see that if there is only requests, it wouldn't log anything. I would really like to see it log them. Adding a flag for query logging would be nice:
./passivendns -q /var/log/passivedns-failed-query.log

I hope the existing setup of caching the request and responses could be extended to allow for requests to be logged only when there is no response seen. A small timeout would suffice I think. Let me be clear: DNS requests that have not gotten answers is what I am interested in logging.

This is an important feature I believe is missing. I can also imagine it being very useful for DNS debugging.

Could you add your license to this project. We'd like to include this in the SIFT workstation.

Preferably MIT, Apache, or BSD license.

Hi there, in the install notes it refers to http://download.fedoraproject.org/pub/epel/6/x86_64/ldns-devel-1.6.11-2.el6.x86_64.rpm as the download location, however it has either been changed or removed from this server.

It seems as if you have used code from a project of mine without permission or giving credits.

The project in which a portion of your code is derived is here: https://github.com/ellzey/dns-archiver. It's blatantly obvious due to the fact this project retained even my source comments word-for-word.

This is a good example:

https://github.com/gamelinux/passivedns/blob/master/src/dns.c#L319
https://github.com/ellzey/dns-archiver/blob/master/archiver.c#L244

Though I did not apply a license to my project, it does not mean it defaults to no restrictions. According to the Bern Convention which almost all countries abide by, you are under violation.

If you credit the orignal project, you have permission :)

Cheers!

Would it be possible to provide build-ready releases of passivedns? By this I mean distributed ready for build, with the configure script present and the build being possible as common with typical Unix software:

./configure
make
make install

It would be nice to see an end to dependencies like autoconf and automake for building passivedns, which is itself a very lightweight piece of software and should be quick to deploy anywhere. Portability on some platforms like OpenBSD or on some embedded systems where running the collector makes sense (routers/firewalls) is made more complicated by additional dependencies. Also for producing ports/packages for new platforms and/or deploying via SCM (Puppet, Salt, Ansible, etc.) a simplified build process will help greatly.

Thinking it would simplify the INSTALL document also as the process would be simplified and consistent on every platform once ldns is installed. (And if the build is simplified, this will encourage creation of packages for more systems and the package will simply be available in your choice of distribution's repositories).

For example, instead of

1329575805.000123||100.240.60.160||80.160.30.30||IN||sadf.googles.com.||A||NXDOMAIN||0||1

we get

1329575805.123||100.240.60.160||80.160.30.30||IN||sadf.googles.com.||A||NXDOMAIN||0||1

which is confusing.

easy fix though:

diff --git a/src/dns.c b/src/dns.c
index 2b9d72e..e307168 100644
--- a/src/dns.c
+++ b/src/dns.c
@@ -541,7 +541,7 @@ void print_passet_err (pdns_record *l, ldns_rdf *lname, ldns_rr *rr, uint16_t rc
     /* example output:
      * 1329575805.123456||100.240.60.160||80.160.30.30||IN||sadf.googles.com.||A||NXDOMAIN||0||1
      */
-    fprintf(fd,"%lu.%lu||%s||%s||",l->last_seen.tv_sec, l->last_seen.tv_usec, ip_addr_c, ip_addr_s);
+    fprintf(fd,"%lu.%06lu||%s||%s||",l->last_seen.tv_sec, l->last_seen.tv_usec, ip_addr_c, ip_addr_s);

     switch (ldns_rr_get_class(rr)) {
         case LDNS_RR_CLASS_IN:
@@ -675,7 +675,7 @@ void print_passet (pdns_asset *p, pdns_record *l) {

     u_ntop(p->sip, p->af, ip_addr_s);
     u_ntop(p->cip, p->af, ip_addr_c);
-    fprintf(fd,"%lu.%lu||%s||%s||",p->last_seen.tv_sec, p->last_seen.tv_usec, ip_addr_c, ip_addr_s);
+    fprintf(fd,"%lu.%06lu||%s||%s||",p->last_seen.tv_sec, p->last_seen.tv_usec, ip_addr_c, ip_addr_s);

     switch (ldns_rr_get_class(p->rr)) {
         case LDNS_RR_CLASS_IN: