updates to ‘dnscap’ duane wessels dns-oarc workshop dublin may 12, 2013
TRANSCRIPT
![Page 1: Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013](https://reader031.vdocument.in/reader031/viewer/2022032015/56649c7b5503460f9492f66e/html5/thumbnails/1.jpg)
Updates to ‘dnscap’
Duane WesselsDNS-OARC Workshop DublinMay 12, 2013
![Page 2: Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013](https://reader031.vdocument.in/reader031/viewer/2022032015/56649c7b5503460f9492f66e/html5/thumbnails/2.jpg)
2
• DNS-specific tcpdump• Splits output files by time/count• Start/Stop at specific times• Select/exclude by direction, address, query name, etc.• Supports IPv6, TCP, fragments, VLANs• Reads from multiple interfaces
What is dnscap?
![Page 3: Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013](https://reader031.vdocument.in/reader031/viewer/2022032015/56649c7b5503460f9492f66e/html5/thumbnails/3.jpg)
3
Traditional Design
packet sources pcap fileson disk
dnscap process
![Page 4: Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013](https://reader031.vdocument.in/reader031/viewer/2022032015/56649c7b5503460f9492f66e/html5/thumbnails/4.jpg)
4
Plugin Design
packet sources plugin outputsdnscap process
?
![Page 5: Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013](https://reader031.vdocument.in/reader031/viewer/2022032015/56649c7b5503460f9492f66e/html5/thumbnails/5.jpg)
5
function description
getopt() command line processing
usage() summary of options and args
start() called once at program start
stop() called once at program exit
open() called at start of each collection interval
close() called at end of each collection interval
output() output or process a packet
Plugin API
![Page 6: Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013](https://reader031.vdocument.in/reader031/viewer/2022032015/56649c7b5503460f9492f66e/html5/thumbnails/6.jpg)
6
Plugin Complications
![Page 7: Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013](https://reader031.vdocument.in/reader031/viewer/2022032015/56649c7b5503460f9492f66e/html5/thumbnails/7.jpg)
7
• dnscap main process has various packet selection options• source/destination addresses• queries/responses• names, opcodes, etc
• Different plugins may have different selection criteria• Plugin “A” wants queries and responses• Plugin “B” wants only queries
Packet Selectors
![Page 8: Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013](https://reader031.vdocument.in/reader031/viewer/2022032015/56649c7b5503460f9492f66e/html5/thumbnails/8.jpg)
8
• Prior to plug-ins, dnscap’s goal was to save packets to disk.
• IP fragments are written but dnscap does not de-fragment.• This means all fragments are written, not just DNS fragments.
• TCP state is held only to make packet selection decisions. dnscap does not perform full TCP reassembly.
• Should dnscap do reassembly and pass fully formed messages to the plugins??• Then you can’t have a “pcapwriter” plugin
Packets vs Messages
![Page 9: Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013](https://reader031.vdocument.in/reader031/viewer/2022032015/56649c7b5503460f9492f66e/html5/thumbnails/9.jpg)
9
dnscap -6fT \-t 600 \-i eth0 \-z 192.168.1.1 –z dead:beef::1 \-P plugin1.so \
-f foo \-b bar \-- \
-P plugin2.so \--xyzzy \--plugh
• Time for a config file?
Command line becoming unwieldy
![Page 10: Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013](https://reader031.vdocument.in/reader031/viewer/2022032015/56649c7b5503460f9492f66e/html5/thumbnails/10.jpg)
10
Root Server Scaling Measurements
![Page 11: Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013](https://reader031.vdocument.in/reader031/viewer/2022032015/56649c7b5503460f9492f66e/html5/thumbnails/11.jpg)
11
“RSSAC have identified an initial set of parameters that they believe would be useful to monitor for the root zone scaling concern, as identified by SSAC and the ICANN Board, and where monitoring should be implementable without major changes within the root zone system. • The latency in the distribution system • The size of the overall root zone • The number of queries • The response size distribution
• The number of sources seen”
http://www.icann.org/en/groups/rssac/root-scaling-measurements-07dec12-en.pdf
Root Zone Scaling Measurements
![Page 12: Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013](https://reader031.vdocument.in/reader031/viewer/2022032015/56649c7b5503460f9492f66e/html5/thumbnails/12.jpg)
12
• Counts # of udp/tcp ipv4/ipv6 queries/responses• query/response size distribution in 8-byte buckets• Full list of all source IP addresses
rssm plugin
![Page 13: Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013](https://reader031.vdocument.in/reader031/viewer/2022032015/56649c7b5503460f9492f66e/html5/thumbnails/13.jpg)
13
-P rssm.so load ‘rssm’ plugin
-w … write counters to files prefixed with /data/dnscap/rssm
-s … write sources to files prefixed with /data/dnscap/sources
output files are suffixed with timestamp of first packet
Example Usage
$ dnscap \-6fT \-t 600 \-i eth0 \-z 198.41.0.4 –z 2001:503:ba3e::2:30 \-P plugins/rssm.so \
-w /data/dnscap/rssm \-s /data/dnscap/sources
![Page 14: Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013](https://reader031.vdocument.in/reader031/viewer/2022032015/56649c7b5503460f9492f66e/html5/thumbnails/14.jpg)
14
A-root stats via dnscap/rssm
DRAFT
![Page 15: Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013](https://reader031.vdocument.in/reader031/viewer/2022032015/56649c7b5503460f9492f66e/html5/thumbnails/15.jpg)
15
• Current dnscap code lives at github:• https://github.com/verisign/dnscap/
Code
• Mailing List:• https://lists.dns-oarc.net/mailman/listinfo/dnscap-users
$ git clone https://github.com/verisign/dnscap.git$ cd dnscap$ ./configure && make$ cd plugins/rssm$ make
![Page 16: Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013](https://reader031.vdocument.in/reader031/viewer/2022032015/56649c7b5503460f9492f66e/html5/thumbnails/16.jpg)
Thank You
© 2013 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.