-
Notifications
You must be signed in to change notification settings - Fork 377
/
Copy pathdns.h
187 lines (171 loc) · 7.61 KB
/
dns.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
/*
** This file is a part of PassiveDNS.
**
** Copyright (C) 2010-2013, Edward Fjellskål <edwardfjellskaal@gmail.com>
**
** This program is free software; you can redistribute it and/or modify
** it under the terms of the GNU General Public License as published by
** the Free Software Foundation; either version 2 of the License, or
** (at your option) any later version.
**
** This program is distributed in the hope that it will be useful,
** but WITHOUT ANY WARRANTY; without even the implied warranty of
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
** GNU General Public License for more details.
**
** You should have received a copy of the GNU General Public License
** along with this program; if not, write to the Free Software
** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
**
*/
#ifndef DNS_H
#define DNS_H
#include <ldns/ldns.h>
/* Default flags for types to handle */
#define DNS_CHK_AAAA 0x00000001
#define DNS_CHK_A 0x00000002
#define DNS_CHK_PTR 0x00000004
#define DNS_CHK_CNAME 0x00000008
#define DNS_CHK_DNAME 0x00000010
#define DNS_CHK_NAPTR 0x00000020
#define DNS_CHK_RP 0x00000040
#define DNS_CHK_SRV 0x00000080
#define DNS_CHK_TXT 0x00000100
#define DNS_CHK_SOA 0x00000200
#define DNS_CHK_MX 0x00000400
#define DNS_CHK_NS 0x00000800
#define DNS_CHK_DNSSEC 0x00001000
#define DNS_CHK_LOC 0x00002000
#define DNS_CHK_SPF 0x00004000
#define DNS_CHK_SSHFP 0x00008000
#define DNS_CHK_HINFO 0x00010000
#define DNS_CHK_ALL 0x80000000
/* Default flags for Server Errors to handle */
#define DNS_SE_CHK_FORMERR 0x0001
#define DNS_SE_CHK_SERVFAIL 0x0002
#define DNS_SE_CHK_NXDOMAIN 0x0004
#define DNS_SE_CHK_NOTIMPL 0x0008
#define DNS_SE_CHK_REFUSED 0x0010
#define DNS_SE_CHK_YXDOMAIN 0x0020
#define DNS_SE_CHK_YXRRSET 0x0040
#define DNS_SE_CHK_NXRRSET 0x0080
#define DNS_SE_CHK_NOTAUTH 0x0100
#define DNS_SE_CHK_NOTZONE 0x0200
#define DNS_SE_CHK_ALL 0x8000
/* Flag for indicating an NXDOMAIN */
#define DNS_NXDOMAIN 0x01
/* Flags for which fields to print */
#define FIELD_TIMESTAMP_S 0x00001
#define FIELD_TIMESTAMP_MS 0x00002
#define FIELD_CLIENT 0x00004
#define FIELD_SERVER 0x00008
#define FIELD_CLASS 0x00010
#define FIELD_QUERY 0x00020
#define FIELD_TYPE 0x00040
#define FIELD_ANSWER 0x00080
#define FIELD_TTL 0x00100
#define FIELD_COUNT 0x00200
#define FIELD_TIMESTAMP_YMDHMS 0x00400
#define FIELD_PROTO 0x00800
#define FIELD_HOSTNAME 0x01000
#define FIELD_QUERY_LEN 0x02000
#define FIELD_ANSWER_LEN 0x04000
#define FIELD_CLT_HWADDR 0x08000
#define FIELD_SRV_HWADDR 0x10000
/* Static values for print_passet() */
#define PASSET_ERR_TTL 0
#define PASSET_ERR_COUNT 1
/* Syslog */
#define PDNS_IDENT "passivedns"
/* JSON fields used when printing PDNS */
#define JSON_TIMESTAMP "timestamp"
#define JSON_TIMESTAMP_S "timestamp_s"
#define JSON_TIMESTAMP_MS "timestamp_ms"
#define JSON_CLIENT "client"
#define JSON_SERVER "server"
#define JSON_PROTO "proto"
#define JSON_CLASS "class"
#define JSON_QUERY "query"
#define JSON_QUERY_LEN "query_len"
#define JSON_TYPE "type"
#define JSON_ANSWER "answer"
#define JSON_ANSWER_LEN "answer_len"
#define JSON_TTL "ttl"
#define JSON_COUNT "count"
#define JSON_HOSTNAME "hostname"
/* To avoid spaming the logfile with duplicate dns info
* we only print a dns record one time each 24H. This way
* you will get a last seen timestamp update once a day
* at least. If the record changes, it will be classified
* as a new record, and printent. If a record expires and
* it has been updated since last_print time, it will be
* printed again.
*/
#define DNSPRINTTIME 86400 /* 24H = 86400 sec */
/* How long we should hold a dns record in our internal
* cache. It should preferably not be less than DNSPRINTTIME,
* as that will make it possible to get more than one instance
* of the record each day in the logfile. That said, setting
* DNSCACHETIMEOUT to DNSPRINTTIME/2 etc, might help memory
* usage if that is a concern AND you probably will get a better
* granularity on the DNS time stamps in the log file.
* My recomendations are DNSPRINTTIME == 24h and
* DNSCACHETIMEOUT == 12h.
*/
#define DNSCACHETIMEOUT 43200 /* 12h=43200sec */
/* HASH:
* [DOMAIN_HASH_BUCKET]_
* |__[Q-TYPE_BUCKET]_<--- PTR,MX,A...
* |__[RESPONCE-NAME] <--- FOR PTR is the IPv4/IPv6
*/
typedef struct _pdns_asset {
struct timeval first_seen; /* First seen (unix timestamp) */
struct timeval last_seen; /* Last seen (unix timestamp) */
struct timeval last_print; /* Last time asset was printet */
struct ldns_struct_rr *rr; /* PTR,MX,TXT,A,AAAA... */
uint64_t seen; /* Number of times seen */
unsigned char *answer; /* Answer, like 8.8.8.8 or 2001:67c:21e0::16 */
uint32_t af; /* IP version (4/6) AF_INET */
struct in6_addr sip; /* DNS Server IP (v4/6) */
u_char smac[6]; /* DNS Server MAC address */
struct in6_addr cip; /* DNS Client IP (v4/6) */
u_char cmac[6]; /* DNS Client MAC address */
struct _pdns_asset *next; /* Next dns asset */
struct _pdns_asset *prev; /* Prev dns asset */
} pdns_asset;
typedef struct _pdns_record {
struct timeval first_seen; /* First seen (unix timestamp) */
struct timeval last_seen; /* Last seen (unix timestamp) */
struct timeval last_print; /* Last time record(NXD) was printet */
uint64_t seen; /* Number of times seen */
unsigned char *qname; /* Query name (gamelinux.org) */
uint8_t nxflag; /* Flag to indicate if this is a NXDOMAIN */
uint32_t af; /* IP version (4/6) AF_INET */
struct in6_addr sip; /* DNS Server IP (v4/6) */
u_char smac[6]; /* DNS Server MAC address */
struct in6_addr cip; /* DNS Client IP (v4/6) */
u_char cmac[6]; /* DNS Client MAC address */
uint8_t proto; /* Protocol */
pdns_asset *passet; /* Head of dns assets */
struct _pdns_record *next; /* Next dns record */
struct _pdns_record *prev; /* Prev dns record */
} pdns_record;
/* Declare */
int process_dns_answer (packetinfo *pi, ldns_pkt *decoded_dns);
int cache_dns_objects (packetinfo *pi, ldns_rdf *rdf_data, ldns_buffer *buff, ldns_pkt *dns_pkt);
pdns_record *get_pdns_record (uint64_t dnshash, packetinfo *pi, unsigned char *domain_name);
const char *u_ntop (const struct in6_addr ip_addr, int af, char *dest);
void dns_parser (packetinfo *pi);
void update_pdns_record_asset (packetinfo *pi, pdns_record *pr, ldns_rr *rr, unsigned char *rdomain_name);
void print_passet (pdns_record *l, pdns_asset *p, ldns_rr *rr, ldns_rdf *lname, uint16_t rcode);
void expire_dns_assets (pdns_record *pdnsr, time_t expire_t);
void expire_dns_records();
void expire_all_dns_records();
void delete_dns_record (pdns_record *pdnsr, pdns_record **bucket_ptr);
void delete_dns_asset (pdns_asset **passet_head, pdns_asset *passet);
void update_config_mem_counters();
void parse_field_flags (char *args);
void parse_dns_flags (char *args);
void update_dns_stats(packetinfo *pi, uint8_t code);
uint16_t pdns_chk_dnsfe(uint16_t rcode);
#endif /* DNS_H */