Installing a Farsight Passive DNS Sensor
Farsight Passive DNS is a project that collects DNS response data received by caching, recursive DNS servers distributed around the Internet. This data is aggregated and made available via the Farsight SIE platform where it is imported in an anonymized form into the Farsight DNSDB system. Operating a Farsight Passive DNS sensor improves the quality of data available from Farsight DNSDB and aids anti-abuse research.
The passive DNS sensor only collects the DNS data received by a caching server as the result of recursion. The queries sent by individual clients are never logged. The sensor also offers the ability to zero out the IP address of the resolver.
If you would like to participate in the Farsight Passive DNS project, please send an email to email@example.com. The Farsight Passive DNS sensor works by capturing raw packets from a network interface and reconstructing the DNS transactions that occurred between recursive and authoritative nameservers. It can be deployed either directly on the recursive DNS server or on a monitoring server with access to a network tap or port mirror. In the latter case multiple DNS servers may of course be monitored, but both the RX and TX network directions must be monitored since the sensor tracks query/response state. By default the total number of entries in the query table is limited and a hard memory limit of 512 MB is enforced on the DNS sensor process. CPU utilization by the DNS sensor tends to be fairly low, even on heavily loaded recursive servers.
This document covers the
sie-dns-sensor binary package available for Debian and Red Hat based Linux systems. For FreeBSD systems an alternate source-based package called
sie-scripts is available. See the Operating a Farsight Passive DNS sensor (FreeBSD) article for details about this method.
Note: A passive DNS sensor requires accurate timestamping. Make sure that the machine you intend to run the sensor on has an NTP client installed and running and that the system time is correct before proceeding.
Native Debian and Red Hat binary packages are available from the following location: https://dl.farsightsecurity.com/dist/sie-dns-sensor/0.7.3-1/. Debian packages are available for the
amd64 architectures and are binary compatible with Debian 7 and newer releases, as well as Ubuntu systems. Red Hat packages are available for the
x86_64 architectures and separate binaries are compiled for the EL5 and EL6 releases. These binary packages are compatible with RHEL clones such as Scientific Linux and CentOS.
Installation of the
sie-dns-sensor binary package is performed with the package manager. For example, on Red Hat EL6 (
x86_64) systems and clones:
rpm -i sie-dns-sensor-0.7.3-1.el6.x86_64.rpm
Or on Debian (
amd64) systems and clones:
dpkg -i sie-dns-sensor_0.7.3-1_amd64.deb
sie-dns-sensor requires further configuration after installation.
/etc/default/sie-dns-sensor file. If necessary, edit the interface variable, which specifies the network interface on which to monitor DNS traffic. By default the "promiscuous" capture mode is not enabled. Append a "+" character to the interface name to enable promiscuous mode. Promiscuous mode is required when monitoring a network tap.
DNSQR_RES_ADDRS variable must also be set to a list of one or more comma-separated IP addresses or network prefixes to be monitored. Some example values for this variable are:
A single server with one address:
An IPv4 address and an IPv6 address:
An entire IPv4 subnet:
An IPv4 subnet and an IPv6 subnet:
DNSQR_RES_ADDRS variable is new in
sie-dns-sensor 0.6.16 and later and replaces the
bpfpat_dst variables in previous versions. The config file must be updated to use the new syntax when upgrading from a previous version.
Uploading data to Farsight
sie-dns-sensor package has a built-in uploader that will send captured data to the Farsight Passive DNS project. The uploader uses an SSH encrypted connection on port
49222 to transfer data. Make sure that no firewall rules prevent outbound connections on this port to Farsight's servers. The upload keypair is stored in the
/var/spool/sie/keys directory in the files
upload (private key) and
upload.pub (public key). Run the
sie-gen-key command to generate a keypair. If
sie-dns-sensor is installed on multiple servers, please copy the same keypair to each server instead of creating a separate keypair for each server.
Email the public key (i.e. the
/var/spool/sie/keys/upload.pub file) as an attachment to firstname.lastname@example.org and include the IPv4 and/or IPv6 addresses that your sensor(s) will inititiate data uploads from. A username will be assigned and the login variable in the
/etc/default/sie-dns-sensor config file must be set to this value.
By default the uploader will remove successfully uploaded data files. For debugging purposes, uploading can be disabled by setting
upload="no" in the
/etc/default/sie-dns-sensor config file. Additionally, data files can be saved to disk by setting
archive="yes", in which case the rotated data files will be saved to the
The uploader sends log messages to syslog with an
sie: prefix upon upload success or failure. The syslog priority can be configured by setting the
syslog_priority config variable.
Starting and stopping the service
sie-dns-sensor uses the standard init system on Linux, and will be configured automatically to start at boot and stop at shutdown.
To start the sensor, run:
service sie-dns-sensor start
To stop the sensor, run:
service sie-dns-sensor stop
To restart the sensor, run:
service sie-dns-sensor restart
Use the package manager to uninstall the
sie-dns-sensor package. On Red Hat systems, run:
rpm -e sie-dns-sensor rm -f /etc/default/sie-dns-sensor.rpmsave
Or on Debian systems, run:
dpkg -P sie-dns-sensor
/var/spool/sie directory will need to be removed manually.
Note on source code
sie-dns-sensor binary package contains components from nmsg and other open source projects. The build scripts and artifacts used to produce the
sie-dns-sensor binary package are available from the sie-dns-sensor repository.
Note on nmsg
sie-dns-sensor binary package includes a stripped down version of the
libnmsg library and
nmsgtool utility specially tailored for the passive DNS sensor software role. As of
sie-dns-sensor version 0.7.3-1, these components are installed in a dedicated path, either
/usr/lib64/sie-dns-sensor depending on platform, and will not conflict with an installation of
nmsg on the same system.
For the latest fully-featured binary packages of
nmsgtool, and related components for Debian and Debian-compatible systems, see the SIE Software Installation Debian page.