########################################################################################## PAS-13: Extract DNS Traffic ########################################################################################## Issue Type: New Feature ----------------------------------------------------------------------------------------- Issue Information ==================== Priority: Major Status: Open Resolution: Unresolved Project: PCAP Analysis Script (PAS) Reported By: btasker Assigned To: btasker Components: - DNS Affected Versions: - 0.1 Targeted for fix in version: - 0.1 Labels: DNS, Time Estimate: 40 minutes Time Logged: 0 minutes ----------------------------------------------------------------------------------------- Issue Description ================== Although it'll likely be pretty noisy, extracting DNS traffic is obviously something we want to do (as it's an easy way to inadvertently leak information) I think a single report will probably be sufficient, similar to webtraffic.csv, containing - Epoch - Src IP (v4) - Dest IP (v4) - Src IP (v6) - Dest IP (v6) - Src Port - Dest Port - Proto (TCP/UDP) - Query/Response (dns.flags.response) - Opcode (dns.flags.opcode) - Authoritative (dns.flags.authoritative) - Truncated (dns.flags.truncated) - Recursion Desired (dns.flags.recdesired) - Recursion available (dns.flags.recavail) - Z (dns.flags.z) - Answer Authenticated (dns.flags.authenticated) - Non-authd data (dns.flags.checkdisable) - Reply Code (dns.flags.rcode) - Questions (dns.count.queries) - Name (dns.qry.name) - Type (dns.qry.type) - Class (dns.qry.class) - Response Name (dns.resp.name) - Response Type (dns.resp.type) - Response Class (dns.resp.class) - Response TTL (dns.resp.ttl) - Response address (dns.resp.addr) Which might well be overkill, but allows filtering of various queries, including going direct to authoritative nameservers. ----------------------------------------------------------------------------------------- Issue Relations ================ - blocks PAS-21: Correlate Encrypted Traffic against DNS to obtain hostname ----------------------------------------------------------------------------------------- Activity ==========