Installing a Farsight Passive DNS Sensor

Introduction

Farsight Passive DNS is a project that collects DNS response data received by caching, recursive DNS servers distributed around the Internet. This data is aggregated and made available via the Farsight SIE platform where it is imported in an anonymized form into the Farsight DNSDB system. Operating a Farsight Passive DNS sensor improves the quality of data available from Farsight DNSDB and aids anti-abuse research.

The passive DNS sensor only collects the DNS data received by a caching server as the result of recursion. The queries sent by individual clients are never logged. The sensor also offers the ability to zero out the IP address of the resolver.

If you would like to participate in the Farsight Passive DNS project, please send an email to passivedns@farsightsecurity.com. The Farsight Passive DNS sensor works by capturing raw packets from a network interface and reconstructing the DNS transactions that occurred between recursive and authoritative nameservers. It can be deployed either directly on the recursive DNS server or on a monitoring server with access to a network tap or port mirror. In the latter case multiple DNS servers may of course be monitored, but both the RX and TX network directions must be monitored since the sensor tracks query/response state. By default the total number of entries in the query table is limited and a hard memory limit of 512 MB is enforced on the DNS sensor process. CPU utilization by the DNS sensor tends to be fairly low, even on heavily loaded recursive servers.

This document covers the sie-dns-sensor binary package available for Debian and Red Hat based Linux systems. For FreeBSD systems an alternate source-based package called sie-scripts is available. See the Operating a Farsight Passive DNS sensor (FreeBSD) article for details about this method.

Note: A passive DNS sensor requires accurate timestamping. Make sure that the machine you intend to run the sensor on has an NTP client installed and running and that the system time is correct before proceeding.

Installation

Native Debian and Red Hat binary packages are available from the following location: https://dl.farsightsecurity.com/dist/sie-dns-sensor/0.7.3-1/. Debian packages are available for the i386 and amd64 architectures and are binary compatible with Debian 7 and newer releases, as well as Ubuntu systems. Red Hat packages are available for the i386 and x86_64 architectures and separate binaries are compiled for the EL5 and EL6 releases. These binary packages are compatible with RHEL clones such as Scientific Linux and CentOS.

Installation of the sie-dns-sensor binary package is performed with the package manager. For example, on Red Hat EL6 (x86_64) systems and clones:

rpm -i sie-dns-sensor-0.7.3-1.el6.x86_64.rpm

Or on Debian (amd64) systems and clones:

dpkg -i sie-dns-sensor_0.7.3-1_amd64.deb

Configuration

sie-dns-sensor requires further configuration after installation.

Open the /etc/default/sie-dns-sensor file. If necessary, edit the interface variable, which specifies the network interface on which to monitor DNS traffic. By default the "promiscuous" capture mode is not enabled. Append a "+" character to the interface name to enable promiscuous mode. Promiscuous mode is required when monitoring a network tap.

The DNSQR_RES_ADDRS variable must also be set to a list of one or more comma-separated IP addresses or network prefixes to be monitored. Some example values for this variable are:

A single server with one address:

DNSQR_RES_ADDRS="192.0.2.53"

Multiple addresses:

DNSQR_RES_ADDRS="192.0.2.53, 198.51.100.53"

An IPv4 address and an IPv6 address:

DNSQR_RES_ADDRS="192.0.2.53, 2001:db8::53"

An entire IPv4 subnet:

DNSQR_RES_ADDRS="203.0.113.0/24"

An IPv4 subnet and an IPv6 subnet:

DNSQR_RES_ADDRS="203.0.113.0/24, 2001:db8::/64"

Note: the DNSQR_RES_ADDRS variable is new in sie-dns-sensor 0.6.16 and later and replaces the dnstype, bpfpat_src, and bpfpat_dst variables in previous versions. The config file must be updated to use the new syntax when upgrading from a previous version.

Uploading data to Farsight

The sie-dns-sensor package has a built-in uploader that will send captured data to the Farsight Passive DNS project. The uploader uses an SSH encrypted connection on port 49222 to transfer data. Make sure that no firewall rules prevent outbound connections on this port to Farsight's servers. The upload keypair is stored in the /var/spool/sie/keys directory in the files upload (private key) and upload.pub (public key). Run the sie-gen-key command to generate a keypair. If sie-dns-sensor is installed on multiple servers, please copy the same keypair to each server instead of creating a separate keypair for each server.

Email the public key (i.e. the /var/spool/sie/keys/upload.pub file) as an attachment to passivedns@farsightsecurity.com and include the IPv4 and/or IPv6 addresses that your sensor(s) will inititiate data uploads from. A username will be assigned and the login variable in the /etc/default/sie-dns-sensor config file must be set to this value.

By default the uploader will remove successfully uploaded data files. For debugging purposes, uploading can be disabled by setting upload="no" in the /etc/default/sie-dns-sensor config file. Additionally, data files can be saved to disk by setting archive="yes", in which case the rotated data files will be saved to the /var/spool/sie/archive directory.

The uploader sends log messages to syslog with an sie: prefix upon upload success or failure. The syslog priority can be configured by setting the syslog_priority config variable.

Starting and stopping the service

sie-dns-sensor uses the standard init system on Linux, and will be configured automatically to start at boot and stop at shutdown.

To start the sensor, run:

service sie-dns-sensor start

To stop the sensor, run:

service sie-dns-sensor stop

To restart the sensor, run:

service sie-dns-sensor restart

Uninstallation

Use the package manager to uninstall the sie-dns-sensor package. On Red Hat systems, run:

rpm -e sie-dns-sensor
rm -f /etc/default/sie-dns-sensor.rpmsave

Or on Debian systems, run:

dpkg -P sie-dns-sensor

Additionally, the /var/spool/sie directory will need to be removed manually.

Note on source code

The sie-dns-sensor binary package contains components from nmsg and other open source projects. The build scripts and artifacts used to produce the sie-dns-sensor binary package are available from the sie-dns-sensor repository.

Note on nmsg

The sie-dns-sensor binary package includes a stripped down version of the libnmsg library and nmsgtool utility specially tailored for the passive DNS sensor software role. As of sie-dns-sensor version 0.7.3-1, these components are installed in a dedicated path, either /usr/lib/sie-dns-sensor or /usr/lib64/sie-dns-sensor depending on platform, and will not conflict with an installation of nmsg on the same system.

For the latest fully-featured binary packages of libnmsg, nmsgtool, and related components for Debian and Debian-compatible systems, see the SIE Software Installation Debian page.