DNSWatch - DNS Traffic Sniffer and Analyzer

DNSWatch is a powerful packet sniffing tool designed to monitor and analyze DNS (Domain Name System) traffic on a network. This script provides a comprehensive set of features to help users understand and manage DNS activity efficiently. Whether you're a network administrator, cybersecurity professional, or a curious enthusiast, DNSWatch empowers you to gain insights into DNS requests, detect anomalies, and enhance network security.

Features

DNS Packet Sniffing: The script can sniff DNS packets on the network interface specified by the user.
Verbose Output: It provides detailed output if the user enables the verbose mode
Target IP Analysis: Users can specify a target IP address to analyze DNS responses
DNS Type Analysis: Users can analyze different types of DNS requests.
DNS over HTTPS (DoH): Users can enable DNS resolution using DNS over HTTPS.
Target Domain Monitoring: Users can specify a list of target domains to monitor.
Port Filtering: It supports filtering by source or destination port.
IP Filtering: Users can filter packets by source or destination IP address.
DNS Type Filtering: allows users to filter packets by DNS type.
PCAP File Saving: Users can save captured packets to a PCAP file.
DNS Firewall Mode: The DNS firewall mode for detecting DNS spoofing attempts.
Threshold Setting: Users can set the threshold for the number of DNS queries .
Window Size Configuration: Allows users to configure the window size (in seconds) for monitoring.
Version Information: Users can check the version of the script.

Requirements

Python 3.7+
scapy 2.4.5 or higher
colorama 0.4.4 or higher

Installation

Clone this repository:

git clone https://github.com/HalilDeniz/DNSWatch.git

Install the required dependencies:

pip install -r requirements.txt

Usage

$ python3 dnswatch.py [-h] [-i INTERFACE] [-v] [-t TARGET_IP] [-d] [--doh] [-D TARGET_DOMAINS [TARGET_DOMAINS ...]] [-p FILTER_PORT] [-s FILTER_SRC_IP] [-r FILTER_DST_IP] [--dns-type DNS_TYPE] [--pcap-file PCAP_FILE] [--firewall] [--threshold THRESHOLD] [--window-size WINDOW_SIZE] [--version]```

-i, --interface: Used to specify the network interface to listen on. For example: -i eth0
-v, --verbose: Use this flag to get detailed output.
-t, --target-ip: Used to specify a specific IP address to monitor. For example: -t 8.8.8.8
-d, --analyze-dns-type: Use this flag to analyze DNS types.
--doh: Use DNS over HTTPS (DoH) for DNS resolution.
-D, --target-domains: Used to specify the target domains to monitor. Accepts a space-separated list of multiple domain names. For example: -D example.com example.org
-p, --filter-port: Use this flag followed by a port number to filter by a specific port. For example: -p 53
-s, --filter-src-ip: Use this flag to filter by a specific source IP address. For example: -s 192.168.1.1
-r, --filter-dst-ip: Use this flag to filter by a specific destination IP address. For example: -r 8.8.4.4
--dns-type: Use this flag followed by a DNS type to filter by a specific DNS type. For example: --dns-type 1 (for type A)
--pcap-file: Use this flag to save captured packets to a PCAP file. For example: --pcap-file captured_packets.pcap
--firewall: Enable DNS firewall mode.
--threshold: Use this flag to set the threshold for the number of DNS queries. For example: --threshold 50
--window-size: Use this flag to set the window size (in seconds). For example: --window-size 60
--version: Use this flag to display the program's version number.

Press Ctrl+C to stop the sniffing process.

Examples

Usage Examples:

Basic DNS Traffic Monitoring:
```
$ python dnswatch.py
```
This command starts DNSWatch to monitor DNS traffic on the default network interface.
Monitor DNS Traffic on a Specific Interface:
```
$ python dnswatch.py -i eth0
```
Use the -i flag followed by the interface name to specify the network interface for monitoring DNS traffic.
Analyze DNS Responses for a Target IP:
```
$ python dnswatch.py -t 192.168.1.1
```
Specify a target IP address using the -t flag to analyze DNS responses for a specific IP address.
Resolve DNS Using DNS over HTTPS (DoH):
```
$ python dnswatch.py --doh
```
Enable DNS resolution using DNS over HTTPS (DoH) to resolve DNS queries securely.
Filter DNS Traffic by Port:
```
$ python dnswatch.py -p 53
```
Use the -p flag followed by the port number to filter DNS traffic by source or destination port.
Filter DNS Traffic by Source IP Address:
```
$ python dnswatch.py -s 192.168.1.100
```
Specify a source IP address using the -s flag to filter DNS traffic by the source IP address.
Filter DNS Traffic by Destination IP Address:
```
$ python dnswatch.py -r 8.8.8.8
```
Use the -r flag followed by the destination IP address to filter DNS traffic by the destination IP address.
Save Captured Packets to a PCAP File:
```
$ python dnswatch.py --pcap-file dns_traffic.pcap
```
Specify the --pcap-file flag followed by the file name to save captured DNS packets to a PCAP file for offline analysis.
Enable DNS Firewall Mode:
```
$ python dnswatch.py --firewall
```
Use the --firewall flag to enable DNS firewall mode for detecting and alerting on suspicious DNS spoofing attempts.
Customize Threshold and Window Size for DNS Firewall:
```
$ python dnswatch.py --firewall --threshold 100 --window-size 120
```
Customize the threshold and window size for DNS firewall mode using the --threshold and --window-size flags, respectively.

License

DNSWatch is licensed under the MIT License. See the LICENSE file for details.

Disclaimer

This tool is intended for educational and testing purposes only. It should not be used for any malicious activities.

Contact

Email : [email protected]
Linkedin : https://www.linkedin.com/in/halil-ibrahim-deniz/
TryHackMe: https://tryhackme.com/p/halilovic
Instagram: https://www.instagram.com/deniz.halil333/
YouTube : https://www.youtube.com/c/HalilDeniz
Mysite : https://denizhalil.com/

💰 You can help me by Donating

Thank you for considering supporting me! Your support enables me to dedicate more time and effort to creating useful tools like DNSWatch and developing new projects. By contributing, you're not only helping me improve existing tools but also inspiring new ideas and innovations. Your support plays a vital role in the growth of this project and future endeavors. Together, let's continue building and learning. Thank you!"

several issues preventing for running

Hi,
I tried but no success

1/ I run the git command
2/ I run the pip command (pip install -r requirements.txt)
hum a cd command to DNSWatch subdirectory is mandatory before 2/
t
hen
severals caracters found in comments prevent from running
examples:

 File "dnswatch.py", line 19
SyntaxError: Non-ASCII character '\xc4' in file dnswatch.py on line 19, but no encoding declared; see http://python.org/dev/peps/pep-0263/ for details

I delete theses words/caracters

then syntax errors:only comments are hitted,
one example, but there are many

 File "dnswatch.py", line 31
    print(f"{Fore.RED}[!] Error resolving DNS over HTTPS: {e}{Style.RESET_ALL}")
                                                                              ^
SyntaxError: invalid syntax

may be it is printf( and not only print( as I dont' know I just deleted the f caracter

same for write command

 File "dnswatch.py", line 78
    file.write(f"DNS Request  from {dns_src_ip} to {dns_dest_ip} at {timestamp}: {dns_request} (Type: {dns_type})\n")
                                                                                                                   ^
SyntaxError: invalid syntax

f has been deleted

at the end:
the pip was succeded and the directory added to PATH

$ pip install -r requirements.txt 
Looking in indexes: https://pypi.org/simple, https://www.piwheels.org/simple
Collecting scapy (from -r requirements.txt (line 1))
  Downloading https://www.piwheels.org/simple/scapy/scapy-2.5.0-py2.py3-none-any.whl (1.4MB)
    100% |████████████████████████████████| 1.5MB 250kB/s 
Requirement already satisfied: argparse in /usr/lib/python2.7 (from -r requirements.txt (line 2)) (1.2.1)
Installing collected packages: scapy
  The script scapy is installed in '/home/pi/.local/bin' which is not on PATH.
  Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
Successfully installed scapy-2.5.0

echo $PATH is Ok following a export PATH=$PATH:/home/pi/.local/bin
scapy is there:

$ pip list | grep scapy
scapy             2.5.0

however it doesn't work

$ sudo python dnswatch.py -i eth0 -k 192.168.6.191 -o dns_results.txt
Traceback (most recent call last):
  File "dnswatch.py", line 6, in <module>
    from scapy.all import *
ImportError: No module named scapy.all

many thanks for your help

halildeniz / dnswatch Goto Github PK

dnswatch's Introduction

DNSWatch - DNS Traffic Sniffer and Analyzer

Features

Requirements

Installation

Usage

Examples

License

Disclaimer

Contact

💰 You can help me by Donating

dnswatch's People

Contributors

Stargazers

Watchers

Forkers

dnswatch's Issues

Recommend Projects

Recommend Topics

Recommend Org