spy on the DNS queries your computer is making

Overview

dnspeep

dnspeep lets you spy on the DNS queries your computer is making.

Here's some example output:

$ sudo dnspeep
query name                           server IP       response
A     incoming.telemetry.mozilla.org 192.168.1.1     CNAME: telemetry-incoming.r53-2.services.mozilla.com, CNAME: pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com, A: 52.39.144.189, A: 54.191.136.131, A: 34.215.151.143, A: 54.149.208.57, A: 44.226.235.191, A: 52.10.174.113, A: 35.160.138.173, A: 44.238.190.78
AAAA  incoming.telemetry.mozilla.org 192.168.1.1     CNAME: telemetry-incoming.r53-2.services.mozilla.com, CNAME: pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com
A     www.google.com                 192.168.1.1     A: 172.217.13.132
AAAA  www.google.com                 192.168.1.1     AAAA: 2607:f8b0:4020:807::2004
A     www.neopets.com                192.168.1.1     CNAME: r9c3n8d2.stackpathcdn.com, A: 151.139.128.11
AAAA  www.neopets.com                192.168.1.1     CNAME: r9c3n8d2.stackpathcdn.com

Installing

  1. Download recent release of dnspeep from the GitHub releases page
  2. Unpack it
  3. Put the dnspeep binary in your PATH (for example in /usr/local/bin)

How it works

It uses libpcap to capture packets on port 53, and then matches up DNS request and response packets so that it can show the request and response together on the same line.

It also tracks DNS queries which didn't get a response within 1 second and prints them out with the response <no response>.

Limitations

  • Only supports the DNS query types supported by the dns_parser crate (here's a list)
  • Doesn't support TCP DNS queries, only UDP
  • It can't show DNS-over-HTTPS queries (because it would need to MITM the HTTPS connection)
Comments
  • RFE: source process and response time

    RFE: source process and response time

    Thanks for this project! It sure makes life a lot easier, so I don't need to remember the BPF syntax.

    I would like to ask for two enhancements, if possible: a) The source name or PID of the process which generated the query. b) The time that it took to receive the response.

    Thank you!

    opened by badnetmask 7
  • Index out of bounds panic in main.rs:153:21

    Index out of bounds panic in main.rs:153:21

    Running dnspeep on a Fedora 33 machine with both IPv4 and IPv6 connectivity I can sometimes see queries but then sooner or later I get:

    thread 'main' panicked at 'index out of bounds: the len is 0 but the index is 0', src/main.rs:153:21
    note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
    

    The backtrace doesn't seem to be very useful; it appears to be failing where it says it's failing, in the line:

        let question = &dns_packet.questions[0];
    

    This seems to be the result of the authoritative DNS server I'm running on this machine answering a query by telling the sender to go away (I think):

    In  IP [RANDOM-IP].30279 > [MYIP].domain: 5140+ [1au] ANY? . (33)
    Out IP [MYIP].domain > [RANDOM-IP].30279: 5140-| [0q] 0/0/1 (23)
    

    Wireshark confirms that the relevant DNS reply packet has no questions, no answer RRs, no authority RRs, and one additional RR of type OPT.

    (This has already been useful, I had no idea people were spraying my authoritative nameserver with these queries.)

    opened by siebenmann 5
  • Support SVCB and HTTPS resource records

    Support SVCB and HTTPS resource records

    This adds support for record types 64 and 65, service binding and HTTPS. This required upgrading to the latest version of dns-message-parser and bumping the minor revision of bytes.

    Resolves: #7

    opened by l0s 3
  • [wip]: support Windows

    [wip]: support Windows

    Hi, I made some efforts to make it run on Windows successfully and to dome refactoring.

    But I have trouble with setting up the GitHub actions for Windows currently.

    opened by nomyfan 3
  • URL wrong for releases in README

    URL wrong for releases in README

    opened by njr0 3
  • sudo and libpcap error

    sudo and libpcap error

    I tried to run this on WSL on an x86 machine and got this error:

    $ sudo ./dnspeep
    Error: Failed to start. You need to run this as root.
    
    Caused by:
        libpcap error: socket: Address family not supported by protocol
    
    Location:
        src/main.rs:91:10
    

    I am not sure why it says You need to run this as root. when I am running it as sudo. And there is also the libpcap error, which I am hoping is because of the sudo error.

    opened by ashwin 2
  • Project license?

    Project license?

    I am packaging this project, and I would like to know the license for the code. I've looked around in all the usual places but I can't find any indication of any particular license. Various dependencies have the licenses "Apache-2.0 BSD-3-Clause ISC MIT Unlicense", but I can't find anything for this project.

    opened by EmRowlands 2
  • Cargo.toml in v0.1.1 has wrong version number

    Cargo.toml in v0.1.1 has wrong version number

    [package]
    name = "dnspeep"
    version = "0.1.0"
    authors = ["Julia Evans <[email protected]>"]
    edition = "2018"
    

    It says that it's still 0.1.0, rather than 0.1.1

    opened by EmRowlands 0
  • Don't require that the response query have a question section

    Don't require that the response query have a question section

    Apparently (as reported in #5) the answer query doesn't always have a question section, so this uses the question type / name from the query instead of looking for it in the response.

    Fixes #5

    opened by jvns 0
  • 🚸 print version when printing usage information with '-h'

    🚸 print version when printing usage information with '-h'

    This PR will solve issue #22 and print version when printing usage information with '-h'. ⚠️ Version is currently hard-coded because I have no idea of Rust and how to make this more elegant 🤷🏻‍♂️

    opened by thomasmerz 1
  • "Warning: got response for unknown query ID …"

    What does this mean and to which query is this related? Please advice/explain or add more information into output. Thanks a lot.

    08:55:01.565   A     bla.mooo.com.             45.90.28.39          10ms      A: 123.123.123.123
    08:55:01.580   A     bla.mooo.com.             45.90.28.39          10ms      A: 123.123.123.123
    08:55:01.592   A     bla.mooo.com.             45.90.28.39          11ms      A: 123.123.123.123
    08:55:01.606   A     bla.mooo.com.             45.90.28.39          10ms      A: 123.123.123.123
    08:55:01.785   A     bla.mooo.com.             45.90.30.39          3ms       A: 123.123.123.123
    08:55:01.792   A     bla.mooo.com.             45.90.30.39          3ms       A: 123.123.123.123
    08:55:01.798   A     bla.mooo.com.             45.90.30.39          3ms       A: 123.123.123.123
    08:55:01.803   A     bla.mooo.com.             45.90.30.39          3ms       A: 123.123.123.123
    08:55:01.958   A     bla.mooo.com.             1.1.1.1              513ms     A: 123.123.123.123
    08:55:02.473   A     bla.mooo.com.             1.1.1.1              5ms       A: 123.123.123.123
    08:55:02.481   A     bla.mooo.com.             1.1.1.1              244ms     A: 123.123.123.123
    08:55:02.727   A     bla.mooo.com.             1.1.1.1              6ms       A: 123.123.123.123
    08:55:02.860   A     bla.mooo.com.             1.0.0.1              135ms     A: 123.123.123.123
    08:55:03.000   A     bla.mooo.com.             1.0.0.1              13ms      A: 123.123.123.123
    08:55:03.016   A     bla.mooo.com.             1.0.0.1              131ms     A: 123.123.123.123
    08:55:03.150   A     bla.mooo.com.             1.0.0.1              9ms       A: 123.123.123.123
    08:55:03.300   A     bla.mooo.com.             8.8.8.8              128ms     A: 123.123.123.123
    08:55:03.432   A     bla.mooo.com.             8.8.8.8              4ms       A: 123.123.123.123
    08:55:03.437   A     bla.mooo.com.             8.8.8.8              125ms     A: 123.123.123.123
    08:55:03.564   A     bla.mooo.com.             8.8.8.8              149ms     A: 123.123.123.123
    08:55:03.873   A     bla.mooo.com.             8.8.4.4              207ms     A: 123.123.123.123
    08:55:04.084   A     bla.mooo.com.             8.8.4.4              127ms     A: 123.123.123.123
    08:55:04.212   A     bla.mooo.com.             8.8.4.4              4ms       A: 123.123.123.123
    08:55:04.219   A     bla.mooo.com.             8.8.4.4              124ms     A: 123.123.123.123
    08:55:04.479   A     bla.mooo.com.             208.67.222.222       102ms     A: 123.123.123.123
    08:55:04.586   A     bla.mooo.com.             208.67.222.222       102ms     A: 123.123.123.123
    08:55:04.689   A     bla.mooo.com.             208.67.222.222       372ms     A: 123.123.123.123
    08:55:05.063   A     bla.mooo.com.             208.67.222.222       126ms     A: 123.123.123.123
    08:55:05.347   A     bla.mooo.com.             208.67.220.220       102ms     A: 123.123.123.123
    08:55:05.453   A     bla.mooo.com.             208.67.220.220       102ms     A: 123.123.123.123
    08:55:05.558   A     bla.mooo.com.             208.67.220.220       102ms     A: 123.123.123.123
    08:55:05.662   A     bla.mooo.com.             208.67.220.220       127ms     A: 123.123.123.123
    08:55:05.920   A     bla.mooo.com.             84.200.69.80                   <no response>
    Warning: got response for unknown query ID 56239
    08:55:07.660   A     bla.mooo.com.             84.200.69.80         3ms       A: 123.123.123.123
    08:55:07.667   A     bla.mooo.com.             84.200.69.80         3ms       A: 123.123.123.123
    08:55:07.673   A     bla.mooo.com.             84.200.69.80         3ms       A: 123.123.123.123
    08:55:07.824   A     bla.mooo.com.             84.200.70.40         137ms     A: 123.123.123.123
    08:55:07.965   A     bla.mooo.com.             84.200.70.40         3ms       A: 123.123.123.123
    08:55:07.970   A     bla.mooo.com.             84.200.70.40         3ms       A: 123.123.123.123
    08:55:07.975   A     bla.mooo.com.             84.200.70.40         4ms       A: 123.123.123.123
    08:55:08.120   A     bla.mooo.com.             9.9.9.11                       <no response>
    Warning: got response for unknown query ID 1714
    08:55:09.962   A     bla.mooo.com.             9.9.9.11                       <no response>
    Warning: got response for unknown query ID 61869
    08:55:11.009   A     bla.mooo.com.             9.9.9.11                       <no response>
    Warning: got response for unknown query ID 49932
    08:55:12.052   A     bla.mooo.com.             9.9.9.11             15ms      A: 123.123.123.123
    08:55:12.201   A     bla.mooo.com.             149.112.112.11       13ms      A: 123.123.123.123
    08:55:12.218   A     bla.mooo.com.             149.112.112.11       13ms      A: 123.123.123.123
    08:55:12.234   A     bla.mooo.com.             149.112.112.11       13ms      A: 123.123.123.123
    08:55:12.249   A     bla.mooo.com.             149.112.112.11       10ms      A: 123.123.123.123
    08:55:12.407   A     bla.mooo.com.             127.0.0.1            0ms       A: 123.123.123.123
    08:55:12.407   A     bla.mooo.com.             127.0.0.1            0ms       A: 123.123.123.123
    08:55:12.407   A     bla.mooo.com.             127.0.0.1            1ms       A: 123.123.123.123
    08:55:12.411   A     bla.mooo.com.             127.0.0.1            0ms       A: 123.123.123.123
    08:55:12.411   A     bla.mooo.com.             127.0.0.1            0ms       A: 123.123.123.123
    08:55:12.411   A     bla.mooo.com.             127.0.0.1            0ms       A: 123.123.123.123
    08:55:12.413   A     bla.mooo.com.             127.0.0.1            0ms       A: 123.123.123.123
    08:55:12.413   A     bla.mooo.com.             127.0.0.1            0ms       A: 123.123.123.123
    08:55:12.413   A     bla.mooo.com.             127.0.0.1            0ms       A: 123.123.123.123
    08:55:12.414   A     bla.mooo.com.             127.0.0.1            0ms       A: 123.123.123.123
    08:55:12.414   A     bla.mooo.com.             127.0.0.1            0ms       A: 123.123.123.123
    08:55:12.414   A     bla.mooo.com.             127.0.0.1            0ms       A: 123.123.123.123
    
    opened by thomasmerz 0
  • Added option to specify the network interface (now it works on FreeBSD)

    Added option to specify the network interface (now it works on FreeBSD)

    Hi, this is a pull request to fix my issue #20. It adds a new command line parameter to specify a network interface to listen on. Now it works on FreeBSD (because it doesn't support the "any" inferface). Bye, Riccardo

    opened by rm1984 0
  • "libpcap error: BIOCSETIF failed: Device not configured" on FreeBSD

    Hi, I get this error when running dnspeep on FreeBSD:

    query name                           server IP            response
    Error: Failed to start. This may be because you need to run this as root.
    
    Caused by:
        libpcap error: BIOCSETIF failed: Device not configured
    
    Location:
        src/main.rs:176:10
    

    This is because FreeBSD doesn't support sniffing on the "any" interface. Please add an command line option to indicate a specific network interface to listen on.

    Cheers, Riccardo

    opened by rm1984 0
  • Error parsing DNS packet: Failed to parse DNS packet: Decode of type … is not yet implemented

    Error parsing DNS packet: Failed to parse DNS packet: Decode of type … is not yet implemented

    Today I found this by accident:

    Error parsing DNS packet: Failed to parse DNS packet: Decode of type NSEC3 is not yet implemented
    Error parsing DNS packet: Failed to parse DNS packet: Decode of type RRSIG is not yet implemented
    

    This could be implemented if time flies by… 💨

    opened by thomasmerz 2
Owner
Julia Evans
Julia Evans
A simple menu to keep all your most used one-liners and scripts in one place

Dama Desktop Agnostic Menu Aggregate This program aims to be a hackable, easy to use menu that can be paired to lightweight window managers in order t

null 47 Jul 23, 2022
Checks your files for existence of Unicode BIDI characters which can be misused for supply chain attacks. See CVE-2021-42574

BIDI Character Detector This tool checks your files for existence of Unicode BIDI characters which can be misused for supply chain attacks to mitigate

null 5 Aug 26, 2022
ripgrep recursively searches directories for a regex pattern while respecting your gitignore

ripgrep (rg) ripgrep is a line-oriented search tool that recursively searches the current directory for a regex pattern. By default, ripgrep will resp

Andrew Gallant 33.3k Sep 22, 2022
Advanced Fuzzing Library - Slot your Fuzzer together in Rust! Scales across cores and machines. For Windows, Android, MacOS, Linux, no_std, ...

LibAFL, the fuzzer library. Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust. LibAFL is written and main

Advanced Fuzzing League ++ 1000 Sep 14, 2022
How-to: Sanitize your Rust code!

rust-san How-to: Sanitize your Rust code! Intro How to use the sanitizers? Examples AddressSanitizer Out of bounds access Use after free LeakSanitizer

Jorge Aparicio 356 Sep 15, 2022
Breaking your Rust code for fun and profit

Breaking your Rust code for fun & profit this is an architecture-preview, not all components are there This is a mutation testing framework for Rust c

null 509 Sep 21, 2022
A tiny program that locates and extracts public save files from Windows to your local directory!

Save Game Extractor | Download Save Game Extractor is a tool that automatically locates and copies save files for Windows games in public directories.

popcar2 6 Dec 23, 2021
Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps. 👻🐚

moonwalk Cover your tracks during Linux Exploitation / Penetration Testing by leaving zero traces on system logs and filesystem timestamps. ?? Table o

Mufeed VH 1k Sep 23, 2022
Adds zero-cost stack overflow protection to your embedded programs

flip-link adds zero-cost stack overflow protection to your embedded programs The problem Bare metal Rust programs may not be memory safe in presence o

Knurling 135 Sep 1, 2022
Cyg will help you to secure files in your repository directly using PGP encryption

cyg: Secure files in your repository Cyg will help you to secure files in your repository directly using PGP encryption. The name "cyg" was inspired b

Hisam Fahri 2 Aug 31, 2022
Obtain (wildcard) certificates from let's encrypt using dns-01 without the need for API access to your DNS provider.

Agnos Presentation Agnos is a single-binary program allowing you to easily obtain certificates (including wildcards) from Let's Encrypt using DNS-01 c

Arthur Carcano 6 Sep 4, 2022
A Rust library for evaluating log4j substitution queries in order to determine whether or not malicious queries may exist.

log4j_interpreter A Rust library for evaluating log4j substitution queries in order to determine whether or not malicious queries may exist. Limitatio

Fastly 23 Apr 20, 2022
nats-spy is a terminal tool to help you to monitor NATS messages.

nats-spy nats-spy is a terminal tool to help you to monitor NATS messages. Install Homebrew (macOS) brew install alihanyalcin/nats-spy/nats-spy Usage

Alihan Doğuş Yalçın 23 Sep 11, 2022
Py-spy - Sampling profiler for Python programs

py-spy: Sampling profiler for Python programs py-spy is a sampling profiler for Python programs. It lets you visualize what your Python program is spe

Ben Frederickson 9.1k Sep 24, 2022
Cross-platform tool to update DNS such as Gandi.net with your dynamic IP address

GDU | Generic DNS Update A cross-platform tool to update DNS zonefiles (such as Gandi.net) when you have a dynamic public IP address. It's a DynDNS or

Damien Lecan 10 Jan 20, 2022
Automatically updates your Cloudflare DNS records for specific zones. Especially useful if you have dynamic IP address

Cloudflare DNS updater What does it do? Cloudflare DNS updater updates specified dns records for specified zones effortlessly and automatically. It wa

Niko Huuskonen 8 Aug 30, 2022
Userspace libpcap-based tool to mirror your dns traffic

DNS traffic mirroring tool (dns-mirror) Description Userspace libpcap-based tool. dns-mirror sniffs dns packets on the given interface and proxies it

Timofey 1 Mar 15, 2022
Improve and strengthen your strings by making them strongly-typed with less boilerplate

aliri_braid Improve and strengthen your strings Strongly-typed APIs reduce errors and confusion over passing around un-typed strings.

Marcus Griep 21 Aug 30, 2022
🦸‍♂️ Recast migrates your old extensions to AndroidX, making them compatible with the latest version of Kodular.

Recast Recast helps make your old extensions compatible with Kodular Creator version 1.5.0 or above. Prerequisites To use Recast, you need to have Jav

Shreyash Saitwal 12 Jun 2, 2022
🧰 The Rust SQL Toolkit. An async, pure Rust SQL crate featuring compile-time checked queries without a DSL. Supports PostgreSQL, MySQL, SQLite, and MSSQL.

SQLx ?? The Rust SQL Toolkit Install | Usage | Docs Built with ❤️ by The LaunchBadge team SQLx is an async, pure Rust† SQL crate featuring compile-tim

launchbadge 6.8k Sep 20, 2022