spy on the DNS queries your computer is making

Related tags

Security tools dnspeep
Overview

dnspeep

dnspeep lets you spy on the DNS queries your computer is making.

Here's some example output:

$ sudo dnspeep
query name                           server IP       response
A     incoming.telemetry.mozilla.org 192.168.1.1     CNAME: telemetry-incoming.r53-2.services.mozilla.com, CNAME: pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com, A: 52.39.144.189, A: 54.191.136.131, A: 34.215.151.143, A: 54.149.208.57, A: 44.226.235.191, A: 52.10.174.113, A: 35.160.138.173, A: 44.238.190.78
AAAA  incoming.telemetry.mozilla.org 192.168.1.1     CNAME: telemetry-incoming.r53-2.services.mozilla.com, CNAME: pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com
A     www.google.com                 192.168.1.1     A: 172.217.13.132
AAAA  www.google.com                 192.168.1.1     AAAA: 2607:f8b0:4020:807::2004
A     www.neopets.com                192.168.1.1     CNAME: r9c3n8d2.stackpathcdn.com, A: 151.139.128.11
AAAA  www.neopets.com                192.168.1.1     CNAME: r9c3n8d2.stackpathcdn.com

Installing

  1. Download recent release of dnspeep from the GitHub releases page
  2. Unpack it
  3. Put the dnspeep binary in your PATH (for example in /usr/local/bin)

How it works

It uses libpcap to capture packets on port 53, and then matches up DNS request and response packets so that it can show the request and response together on the same line.

It also tracks DNS queries which didn't get a response within 1 second and prints them out with the response <no response>.

Limitations

  • Only supports the DNS query types supported by the dns_parser crate (here's a list)
  • Doesn't support TCP DNS queries, only UDP
  • It can't show DNS-over-HTTPS queries (because it would need to MITM the HTTPS connection)
Comments
  • RFE: source process and response time

    RFE: source process and response time

    Thanks for this project! It sure makes life a lot easier, so I don't need to remember the BPF syntax.

    I would like to ask for two enhancements, if possible: a) The source name or PID of the process which generated the query. b) The time that it took to receive the response.

    Thank you!

    opened by badnetmask 7
  • Index out of bounds panic in main.rs:153:21

    Index out of bounds panic in main.rs:153:21

    Running dnspeep on a Fedora 33 machine with both IPv4 and IPv6 connectivity I can sometimes see queries but then sooner or later I get:

    thread 'main' panicked at 'index out of bounds: the len is 0 but the index is 0', src/main.rs:153:21
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

    The backtrace doesn't seem to be very useful; it appears to be failing where it says it's failing, in the line:

        let question = &dns_packet.questions[0];

    This seems to be the result of the authoritative DNS server I'm running on this machine answering a query by telling the sender to go away (I think):

    In  IP [RANDOM-IP].30279 > [MYIP].domain: 5140+ [1au] ANY? . (33)
Out IP [MYIP].domain > [RANDOM-IP].30279: 5140-| [0q] 0/0/1 (23)

    Wireshark confirms that the relevant DNS reply packet has no questions, no answer RRs, no authority RRs, and one additional RR of type OPT.

    (This has already been useful, I had no idea people were spraying my authoritative nameserver with these queries.)

    opened by siebenmann 5
  • Support SVCB and HTTPS resource records

    Support SVCB and HTTPS resource records

    This adds support for record types 64 and 65, service binding and HTTPS. This required upgrading to the latest version of dns-message-parser and bumping the minor revision of bytes.

    Resolves: #7

    opened by l0s 3
  • [wip]: support Windows

    [wip]: support Windows

    Hi, I made some efforts to make it run on Windows successfully and to dome refactoring.

    But I have trouble with setting up the GitHub actions for Windows currently.

    opened by nomyfan 3
  • URL wrong for releases in README

    URL wrong for releases in README

    opened by njr0 3
  • sudo and libpcap error

    sudo and libpcap error

    I tried to run this on WSL on an x86 machine and got this error:

    $ sudo ./dnspeep
Error: Failed to start. You need to run this as root.

Caused by:
    libpcap error: socket: Address family not supported by protocol

Location:
    src/main.rs:91:10

    I am not sure why it says You need to run this as root. when I am running it as sudo. And there is also the libpcap error, which I am hoping is because of the sudo error.

    opened by ashwin 2
  • Project license?

    Project license?

    I am packaging this project, and I would like to know the license for the code. I've looked around in all the usual places but I can't find any indication of any particular license. Various dependencies have the licenses "Apache-2.0 BSD-3-Clause ISC MIT Unlicense", but I can't find anything for this project.

    opened by EmRowlands 2
  • Cargo.toml in v0.1.1 has wrong version number

    Cargo.toml in v0.1.1 has wrong version number 

    [package]
name = "dnspeep"
version = "0.1.0"
authors = ["Julia Evans <[email protected]>"]
edition = "2018"

    It says that it's still 0.1.0, rather than 0.1.1

    opened by EmRowlands 0
  • Don't require that the response query have a question section

    Don't require that the response query have a question section

    Apparently (as reported in #5) the answer query doesn't always have a question section, so this uses the question type / name from the query instead of looking for it in the response.

    Fixes #5

    opened by jvns 0
  • 🚸 print version when printing usage information with '-h'

    🚸 print version when printing usage information with '-h'

    This PR will solve issue #22 and print version when printing usage information with '-h'. ⚠️ Version is currently hard-coded because I have no idea of Rust and how to make this more elegant 🤷🏻‍♂️

    opened by thomasmerz 1

  • "Warning: got response for unknown query ID …"

    What does this mean and to which query is this related? Please advice/explain or add more information into output. Thanks a lot.

    08:55:01.565   A     bla.mooo.com.             45.90.28.39          10ms      A: 123.123.123.123
08:55:01.580   A     bla.mooo.com.             45.90.28.39          10ms      A: 123.123.123.123
08:55:01.592   A     bla.mooo.com.             45.90.28.39          11ms      A: 123.123.123.123
08:55:01.606   A     bla.mooo.com.             45.90.28.39          10ms      A: 123.123.123.123
08:55:01.785   A     bla.mooo.com.             45.90.30.39          3ms       A: 123.123.123.123
08:55:01.792   A     bla.mooo.com.             45.90.30.39          3ms       A: 123.123.123.123
08:55:01.798   A     bla.mooo.com.             45.90.30.39          3ms       A: 123.123.123.123
08:55:01.803   A     bla.mooo.com.             45.90.30.39          3ms       A: 123.123.123.123
08:55:01.958   A     bla.mooo.com.             1.1.1.1              513ms     A: 123.123.123.123
08:55:02.473   A     bla.mooo.com.             1.1.1.1              5ms       A: 123.123.123.123
08:55:02.481   A     bla.mooo.com.             1.1.1.1              244ms     A: 123.123.123.123
08:55:02.727   A     bla.mooo.com.             1.1.1.1              6ms       A: 123.123.123.123
08:55:02.860   A     bla.mooo.com.             1.0.0.1              135ms     A: 123.123.123.123
08:55:03.000   A     bla.mooo.com.             1.0.0.1              13ms      A: 123.123.123.123
08:55:03.016   A     bla.mooo.com.             1.0.0.1              131ms     A: 123.123.123.123
08:55:03.150   A     bla.mooo.com.             1.0.0.1              9ms       A: 123.123.123.123
08:55:03.300   A     bla.mooo.com.             8.8.8.8              128ms     A: 123.123.123.123
08:55:03.432   A     bla.mooo.com.             8.8.8.8              4ms       A: 123.123.123.123
08:55:03.437   A     bla.mooo.com.             8.8.8.8              125ms     A: 123.123.123.123
08:55:03.564   A     bla.mooo.com.             8.8.8.8              149ms     A: 123.123.123.123
08:55:03.873   A     bla.mooo.com.             8.8.4.4              207ms     A: 123.123.123.123
08:55:04.084   A     bla.mooo.com.             8.8.4.4              127ms     A: 123.123.123.123
08:55:04.212   A     bla.mooo.com.             8.8.4.4              4ms       A: 123.123.123.123
08:55:04.219   A     bla.mooo.com.             8.8.4.4              124ms     A: 123.123.123.123
08:55:04.479   A     bla.mooo.com.             208.67.222.222       102ms     A: 123.123.123.123
08:55:04.586   A     bla.mooo.com.             208.67.222.222       102ms     A: 123.123.123.123
08:55:04.689   A     bla.mooo.com.             208.67.222.222       372ms     A: 123.123.123.123
08:55:05.063   A     bla.mooo.com.             208.67.222.222       126ms     A: 123.123.123.123
08:55:05.347   A     bla.mooo.com.             208.67.220.220       102ms     A: 123.123.123.123
08:55:05.453   A     bla.mooo.com.             208.67.220.220       102ms     A: 123.123.123.123
08:55:05.558   A     bla.mooo.com.             208.67.220.220       102ms     A: 123.123.123.123
08:55:05.662   A     bla.mooo.com.             208.67.220.220       127ms     A: 123.123.123.123
08:55:05.920   A     bla.mooo.com.             84.200.69.80                   <no response>
Warning: got response for unknown query ID 56239
08:55:07.660   A     bla.mooo.com.             84.200.69.80         3ms       A: 123.123.123.123
08:55:07.667   A     bla.mooo.com.             84.200.69.80         3ms       A: 123.123.123.123
08:55:07.673   A     bla.mooo.com.             84.200.69.80         3ms       A: 123.123.123.123
08:55:07.824   A     bla.mooo.com.             84.200.70.40         137ms     A: 123.123.123.123
08:55:07.965   A     bla.mooo.com.             84.200.70.40         3ms       A: 123.123.123.123
08:55:07.970   A     bla.mooo.com.             84.200.70.40         3ms       A: 123.123.123.123
08:55:07.975   A     bla.mooo.com.             84.200.70.40         4ms       A: 123.123.123.123
08:55:08.120   A     bla.mooo.com.             9.9.9.11                       <no response>
Warning: got response for unknown query ID 1714
08:55:09.962   A     bla.mooo.com.             9.9.9.11                       <no response>
Warning: got response for unknown query ID 61869
08:55:11.009   A     bla.mooo.com.             9.9.9.11                       <no response>
Warning: got response for unknown query ID 49932
08:55:12.052   A     bla.mooo.com.             9.9.9.11             15ms      A: 123.123.123.123
08:55:12.201   A     bla.mooo.com.             149.112.112.11       13ms      A: 123.123.123.123
08:55:12.218   A     bla.mooo.com.             149.112.112.11       13ms      A: 123.123.123.123
08:55:12.234   A     bla.mooo.com.             149.112.112.11       13ms      A: 123.123.123.123
08:55:12.249   A     bla.mooo.com.             149.112.112.11       10ms      A: 123.123.123.123
08:55:12.407   A     bla.mooo.com.             127.0.0.1            0ms       A: 123.123.123.123
08:55:12.407   A     bla.mooo.com.             127.0.0.1            0ms       A: 123.123.123.123
08:55:12.407   A     bla.mooo.com.             127.0.0.1            1ms       A: 123.123.123.123
08:55:12.411   A     bla.mooo.com.             127.0.0.1            0ms       A: 123.123.123.123
08:55:12.411   A     bla.mooo.com.             127.0.0.1            0ms       A: 123.123.123.123
08:55:12.411   A     bla.mooo.com.             127.0.0.1            0ms       A: 123.123.123.123
08:55:12.413   A     bla.mooo.com.             127.0.0.1            0ms       A: 123.123.123.123
08:55:12.413   A     bla.mooo.com.             127.0.0.1            0ms       A: 123.123.123.123
08:55:12.413   A     bla.mooo.com.             127.0.0.1            0ms       A: 123.123.123.123
08:55:12.414   A     bla.mooo.com.             127.0.0.1            0ms       A: 123.123.123.123
08:55:12.414   A     bla.mooo.com.             127.0.0.1            0ms       A: 123.123.123.123
08:55:12.414   A     bla.mooo.com.             127.0.0.1            0ms       A: 123.123.123.123
    opened by thomasmerz 0
  • Added option to specify the network interface (now it works on FreeBSD)

    Added option to specify the network interface (now it works on FreeBSD)

    Hi, this is a pull request to fix my issue #20. It adds a new command line parameter to specify a network interface to listen on. Now it works on FreeBSD (because it doesn't support the "any" inferface). Bye, Riccardo

    opened by rm1984 0

  • "libpcap error: BIOCSETIF failed: Device not configured" on FreeBSD

    Hi, I get this error when running dnspeep on FreeBSD:

    query name                           server IP            response
Error: Failed to start. This may be because you need to run this as root.

Caused by:
    libpcap error: BIOCSETIF failed: Device not configured

Location:
    src/main.rs:176:10

    This is because FreeBSD doesn't support sniffing on the "any" interface. Please add an command line option to indicate a specific network interface to listen on.

    Cheers, Riccardo

    opened by rm1984 0
  • Error parsing DNS packet: Failed to parse DNS packet: Decode of type … is not yet implemented

    Error parsing DNS packet: Failed to parse DNS packet: Decode of type … is not yet implemented

    Today I found this by accident:

    Error parsing DNS packet: Failed to parse DNS packet: Decode of type NSEC3 is not yet implemented
Error parsing DNS packet: Failed to parse DNS packet: Decode of type RRSIG is not yet implemented

    This could be implemented if time flies by… 💨

    opened by thomasmerz 2
Owner
Julia Evans
Julia Evans
GitHub
A simple menu to keep all your most used one-liners and scripts in one place

Dama Desktop Agnostic Menu Aggregate This program aims to be a hackable, easy to use menu that can be paired to lightweight window managers in order t

null 47 Jul 23, 2022
Checks your files for existence of Unicode BIDI characters which can be misused for supply chain attacks. See CVE-2021-42574

BIDI Character Detector This tool checks your files for existence of Unicode BIDI characters which can be misused for supply chain attacks to mitigate

null 5 Aug 26, 2022
ripgrep recursively searches directories for a regex pattern while respecting your gitignore

ripgrep (rg) ripgrep is a line-oriented search tool that recursively searches the current directory for a regex pattern. By default, ripgrep will resp

Andrew Gallant 35k Dec 31, 2022
Advanced Fuzzing Library - Slot your Fuzzer together in Rust! Scales across cores and machines. For Windows, Android, MacOS, Linux, no_std, ...

LibAFL, the fuzzer library. Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust. LibAFL is written and main

Advanced Fuzzing League ++ 1.2k Jan 6, 2023
How-to: Sanitize your Rust code!

rust-san How-to: Sanitize your Rust code! Intro How to use the sanitizers? Examples AddressSanitizer Out of bounds access Use after free LeakSanitizer

Jorge Aparicio 359 Dec 22, 2022
Breaking your Rust code for fun and profit

Breaking your Rust code for fun & profit this is an architecture-preview, not all components are there This is a mutation testing framework for Rust c

null 542 Jan 4, 2023
A tiny program that locates and extracts public save files from Windows to your local directory!

Save Game Extractor | Download Save Game Extractor is a tool that automatically locates and copies save files for Windows games in public directories.

popcar2 6 Dec 23, 2021
Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps. 👻🐚

moonwalk Cover your tracks during Linux Exploitation / Penetration Testing by leaving zero traces on system logs and filesystem timestamps. ?? Table o

Mufeed VH 1.1k Jan 6, 2023
Adds zero-cost stack overflow protection to your embedded programs

flip-link adds zero-cost stack overflow protection to your embedded programs The problem Bare metal Rust programs may not be memory safe in presence o

Knurling 151 Dec 29, 2022
Cyg will help you to secure files in your repository directly using PGP encryption

cyg: Secure files in your repository Cyg will help you to secure files in your repository directly using PGP encryption. The name "cyg" was inspired b

Hisam Fahri 2 Aug 31, 2022
Obtain (wildcard) certificates from let's encrypt using dns-01 without the need for API access to your DNS provider.

Agnos Presentation Agnos is a single-binary program allowing you to easily obtain certificates (including wildcards) from Let's Encrypt using DNS-01 c

Arthur Carcano 246 Dec 20, 2022
A Rust library for evaluating log4j substitution queries in order to determine whether or not malicious queries may exist.

log4j_interpreter A Rust library for evaluating log4j substitution queries in order to determine whether or not malicious queries may exist. Limitatio

Fastly 22 Nov 7, 2022
DNS Server written in Rust for fun, see https://dev.to/xfbs/writing-a-dns-server-in-rust-1gpn

DNS Fun Ever wondered how you can write a DNS server in Rust? No? Well, too bad, I'm telling you anyways. But don't worry, this is going to be a fun o

Patrick Elsen 26 Jan 13, 2023
nats-spy is a terminal tool to help you to monitor NATS messages.

nats-spy nats-spy is a terminal tool to help you to monitor NATS messages. Install Homebrew (macOS) brew install alihanyalcin/nats-spy/nats-spy Usage

Alihan Doğuş Yalçın 23 Oct 23, 2022
Py-spy - Sampling profiler for Python programs

py-spy: Sampling profiler for Python programs py-spy is a sampling profiler for Python programs. It lets you visualize what your Python program is spe

Ben Frederickson 9.5k Jan 8, 2023
A small program to feed the audio from your QRP-Labs QDX digital transceiver through to your computer's speakers

A small program to feed the audio from your QRP-Labs QDX digital transceiver through to your computer's speakers. Also gives you a small user interface in which you can see a signal-strength meter, control the output volume coming from your speakers, and to tune the QDX to a particular frequency (receive SSB and other signals!).

Matt Gumbley 3 Jul 24, 2023
Easily add metrics to your system -- and actually understand them using automatically customized Prometheus queries

Autometrics ?? ✨ Autometrics is a macro that makes it trivial to add useful metrics to any function in your codebase. Easily understand and debug your

Fiberplane 341 Feb 6, 2023
Easily add metrics to your system -- and actually understand them using automatically customized Prometheus queries

A Rust macro that makes it easy to understand the error rate, response time, and production usage of any function in your code. Jump from your IDE to

Autometrics 462 Mar 6, 2023
Experimental extension that brings OpenAI API to your PostgreSQL to run queries in human language.

Postgres <> ChatGPT Experimental PostgreSQL extension that enables the use of OpenAI GPT API inside PostgreSQL, allowing for queries to be written usi

CloudQuery 315 Apr 10, 2023
Cross-platform tool to update DNS such as Gandi.net with your dynamic IP address

GDU | Generic DNS Update A cross-platform tool to update DNS zonefiles (such as Gandi.net) when you have a dynamic public IP address. It's a DynDNS or

Damien Lecan 10 Jan 20, 2022