NAME¶

radns - process DNS data from argus(8) data streams / files.

SYNOPSIS¶

radns [raoptions] [-- filter-expression]

DESCRIPTION¶

Radns reads argus data from an argus-data source, and extracts and tracks DNS transaction data from the argus data records. radns is a flow record labeler, and can be configured to label flow records with the dns names of the saddr and daddr addresses seen in the outer IP DSR of flow records. As a result, radns can be a stage in an argus data flow stream, enhancing real-time flow records with DNS metadata.

OPTIONS¶

Radns, like all ra based clients, supports a number of ra options including filtering of input argus records through a terminating filter expression, and the ability to specify the output style, format and contents for printing data. See ra(1) for a complete description of ra options. radns(1) specific options are:

-M modes

Supported modes are:

CONFIGURATION¶

radns(1) can be configured using a radns.conf(5) configuration file. See radns.conf(5) for a complete description of radns configuration options.

INVOCATION¶

A sample invocation of radns(1). This call reads argus(8) data from inputfile and prints the DNS transaction content as it is read from the argus(8) data.

% radns -R /usr/local/argus/archive/*/en0/2024/02/05/*.05.10.0* -N 1200
02/05.05:12:50.506561: AAAA? KitAppTV.local. : 
02/05.05:14:30.116963: AAAA? qosient.mail.pairserver.com. :  SOA pairserver.com. ns1.pair.com. root.pair.com. 2024020506 3600 300 604800 7200
02/05.10:01:06.404054: PTR? lb._dns-sd._udp.0.129.37.10.in-addr.arpa. :  SOA 10.in-addr.arpa. prisoner.iana.org. hostmaster.root-servers.org. 1 604800 60 604800 604800
apophis:argus-clients-5.0 carter$ bin/radns -M json -R /usr/local/argus/archive/*/en0/2024/02/05/*.05.10.0* -N 1250
02/05.05:12:50.506561: AAAA? KitAppTV.local. : 
02/05.05:14:30.116963: AAAA? qosient.mail.pairserver.com. :  SOA pairserver.com. ns1.pair.com. root.pair.com. 2024020506 3600 300 604800 7200
02/05.10:01:06.404054: PTR? lb._dns-sd._udp.0.129.37.10.in-addr.arpa. :  SOA 10.in-addr.arpa. prisoner.iana.org. hostmaster.root-servers.org. 1 604800 60 604800 604800
02/05.10:01:45.717174: Type65? init.push.apple.com. :  CNAME init.push.apple.com. init.push-apple.com.akadns.net. SOA akadns.net. internal.akadns.net. hostmaster.akamai.com. 1629813934 90000 90000 90000 180
02/05.10:01:45.717302: AAAA? init.push.apple.com. :  AAAA init.push-apple.com.akadns.net. 2620:149:208:430a::4[28],2620:149:208:430e::4[28],2620:149:208:430c::4[28],2620:149:208:430b::4[28],2620:149:208:430d::4[28] CNAME init.push.apple.com. init.push-apple.com.akadns.net.
02/05.10:01:45.717432: A? init.push.apple.com. :  A init.push-apple.com.akadns.net. 17.188.179.2[16],17.188.178.2[16],17.188.178.226[16],17.188.178.34[16],17.188.143.158[16],17.188.143.157[16],17.188.179.34[16],17.188.143.187[16] CNAME init.push.apple.com. init.push-apple.com.akadns.net.
02/05.10:01:45.736437: Type65? init.push-apple.com.akadns.net. :  SOA akadns.net. internal.akadns.net. hostmaster.akamai.com. 1629813934 90000 90000 90000 180

A sample invocation of radns(1). This call reads argus(8) data from inputfile and uses the -q option to suppress DNS transaction reporting. radns(1) caches its DNS server, clients and transaction data in memory, and when finished reading data, resolve queries about the data.

In this example, it reads a days of data and looks up references to a specific DNS query, printing its output as json data.

% radns -M json -R /usr/local/argus/archive/*/en0/2024/02/05 -qM search:qosient.com.
{ "name":"qosient.com.", "ref":"3", "stime":"1707147521","ltime":"1707183149", "addr":[ "216.92.14.146" ], "server":[ "2603:7000:c00:b053:ea9f:80ff:fe85:5cc5" ], "client":[ "2603:7000:c00:b053:987f:ad32:81c:e70f", "2603:7000:c00:b053:f9f2:6d70:ff9c:48d7" ] }

COPYRIGHT¶

Copyright (c) 2000-2024 QoSient. All rights reserved.

SEE ALSO¶

radns.conf(5), ra(1), rarc(5), argus(8),

FILES¶

AUTHORS¶

Carter Bullard (carter@qosient.com).

BUGS¶