Farsight Passive DNS Sensor


Farsight Passive DNS is a project that collects DNS response data received by caching, recursive DNS servers distributed around the Internet. This data is aggregated and made available via the Farsight SIE platform where it is imported in an anonymized form into the Farsight DNSDB system. Operating a Farsight Passive DNS sensor improves the quality of data available from Farsight DNSDB and aids anti-abuse research.

The passive DNS sensor only collects the DNS data received by a caching server as the result of recursion. The queries sent by individual clients are never logged. The sensor also offers the ability to zero out the IP address of the resolver.

By default the total number of entries in the query table is limited and a hard memory limit of 512 MB is enforced on the DNS sensor process. CPU utilization by the DNS sensor tends to be fairly low, even on heavily loaded recursive servers.

Note: A passive DNS sensor requires accurate timestamping. Make sure that the machine you intend to run the sensor on has an NTP client installed and running and that the system time is correct before proceeding.

See also:
If you would like to participate in the Farsight Passive DNS project, please send an email to passivedns@farsightsecurity.com.

Deployment Options

The Farsight Passive DNS sensor works by capturing raw packets from a network interface and reconstructing the DNS transactions that occurred between recursive and authoritative nameservers. Most sensor operators install the sensor directly on the recursive DNS server being monitored. The nameserver implementation does not matter since the sensor captures DNS packets from the server's network interface. The sensor can also be installed on a network monitoring server with access to a network tap of or port mirror of the server's DNS traffic. In the latter case multiple DNS servers may of course be monitored, but both the RX and TX network directions must be monitored since the sensor tracks query/response state.


Debian and Ubuntu
Debian binary packages for both the i386 and amd64 architectures are available from the following location: https://dl.farsightsecurity.com/dist/sie-dns-sensor/0.7.3-1/. These packages are compatible with Debian 7 and newer releases, as well as Ubuntu systems. After downloading the appropriate binary package, it may be installed with the package manager. For example on Debian (amd64) systems and clones:
dpkg -i sie-dns-sensor_0.7.3-1_amd64.deb

Red Hat EL5 or EL6, Scientific Linux, CentOS
Red Hat binary packages for both the i386 and amd64 architectures and compiled separately for the EL5 and EL6 releases available from the following location: https://dl.farsightsecurity.com/dist/sie-dns-sensor/0.7.3-1/. These packages are compatible with RHEL clones such as Scientific Linux and CentOS. After downloading the appropriate binary package, it may be installed with the package manager. For example on Red Hat EL6 (x86_64) systems and clones:
rpm -i sie-dns-sensor-0.7.3-1.el6.x86_64.rpm

Installation on FreeBSD requires some prerequisites to be installed, which are available as official FreeBSD pre-compiled binary packages.
pkg install nmsg wrapsrv bash rsync

Download the latest version of the sie-scripts tarball from the following location: https://dl.farsightsecurity.com/dist/sie-scripts/. Extract the tarball and change into the top-level directory of the extracted tarball and then perform the following steps:
  1. make -f Makefile.freebsd install
  2. cp examples/dns-cache /usr/local/etc/sie/dns-cache
  3. cp initscripts/freebsd/sie_dns_sensor.sh /usr/local/etc/rc.d/sie_dns_sensor
  4. chmod +x /usr/local/etc/rc.d/sie_dns_sensor
  5. Add sie_dns_sensor_enable="YES" to the /etc/rc.conf file


sie-dns-sensor requires further configuration after installation.

Open the /etc/default/sie-dns-sensor file (/usr/local/etc/sie/dns-cache on FreeBSD). If necessary, edit the interface variable, which specifies the network interface on which to monitor DNS traffic. By default the "promiscuous" capture mode is not enabled. Append a "+" character to the interface name to enable promiscuous mode. Promiscuous mode is required when monitoring a network tap.

The DNSQR_RES_ADDRS variable must also be set to a list of one or more comma-separated IP addresses or network prefixes to be monitored. Some example values for this variable are:

A single server with one address:

Multiple addresses:

An IPv4 address and an IPv6 address:
DNSQR_RES_ADDRS=", 2001:db8::53"

An entire IPv4 subnet:

An IPv4 subnet and an IPv6 subnet:
DNSQR_RES_ADDRS=", 2001:db8::/64"

Note: the DNSQR_RES_ADDRS variable is new in sie-dns-sensor 0.6.16 and later and replaces the dnstype, bpfpat_src, and bpfpat_dst variables in previous versions. The config file must be updated to use the new syntax when upgrading from a previous version.

Uploading data to Farsight

The sie-dns-sensor package has a built-in uploader that will send captured data to the Farsight Passive DNS project. The uploader uses an SSH encrypted connection on port 49222 to transfer data. Make sure that no firewall rules prevent outbound connections on this port to Farsight's servers. The upload keypair is stored in the /var/spool/sie/keys directory in the files upload (private key) and upload.pub (public key). Run the sie-gen-key command to generate a keypair. If sie-dns-sensor is installed on multiple servers, please copy the same keypair to each server instead of creating a separate keypair for each server.

Email the public key (i.e. the /var/spool/sie/keys/upload.pub file) as an attachment to passivedns@farsightsecurity.com and include the IPv4 and/or IPv6 addresses that your sensor(s) will inititiate data uploads from. A username will be assigned and the login variable in the /etc/default/sie-dns-sensor config file must be set to this value.

By default the uploader will remove successfully uploaded data files. For debugging purposes, uploading can be disabled by setting upload="no" in the /etc/default/sie-dns-sensor config file. Additionally, data files can be saved to disk by setting archive="yes", in which case the rotated data files will be saved to the /var/spool/sie/archive directory.

The uploader sends log messages to syslog with an sie: prefix upon upload success or failure. The syslog priority can be configured by setting the syslog_priority config variable.

Starting and stopping the service

sie-dns-sensor uses the standard init system on Linux and FreeBSD, and will be configured automatically to start at boot and stop at shutdown.

To start the sensor, run:
service sie-dns-sensor start

To stop the sensor, run:
service sie-dns-sensor stop

To restart the sensor, run:
service sie-dns-sensor restart


Debian and Ubuntu
Use the package manager to uninstall the sie-dns-sensor package:
dpkg -P sie-dns-sensor

Red Hat EL5 or EL6, Scientific Linux, CentOS
Use the package manager to uninstall the sie-dns-sensor package:
rpm -e sie-dns-sensor

rm -f /etc/default/sie-dns-sensor.rpmsave

Use the pkg delete to remove any of the prerequisite packages that were installed and which are not needed for other purposes on the machine.
rm -r /usr/local/etc/sie

rm /usr/local/etc/rc.d/sie_dns_sensor

rm -r /usr/local/lib/sie

Additionally, the /var/spool/sie directory will need to be removed manually.

Note on source code

The sie-dns-sensor binary package contains components from nmsg and other open source projects. The build scripts and artifacts used to produce the sie-dns-sensor binary package are available from the sie-dns-sensor repository.

Note on nmsg

The sie-dns-sensor binary packages for Debian and Red Hat include a stripped down version of the libnmsg library and nmsgtool utility specially tailored for the passive DNS sensor software role. As of sie-dns-sensor version 0.7.3-1, these components are installed in a dedicated path, either /usr/lib/sie-dns-sensor or /usr/lib64/sie-dns-sensor depending on platform, and will not conflict with an installation of nmsg on the same system.

For the latest fully-featured binary packages of libnmsg, nmsgtool, and related components, see the Security Information Exchange (SIE) on Debian, Security Information Exchange (SIE) on CentOS / RHEL, and Security Information Exchange (SIE) on FreeBSD pages.

Protect against cybercriminal activity in real-time.

Request demo

Email: sales@farsightsecurity.com Phone: +1-650-489-7919