Farsight Security Passive DNS Sensor


Farsight Passive DNS is a project that collects DNS response data received by caching, recursive DNS servers distributed around the Internet. This data is aggregated and made available via the Farsight SIE platform where it is imported in an anonymized form into the Farsight DNSDB system. Operating a Farsight Passive DNS sensor improves the quality of data available from Farsight DNSDB and aids anti-abuse research.

The passive DNS sensor only collects the DNS data received by a caching server as the result of recursion. The queries sent by individual clients are never logged. The sensor also offers the ability to zero out the IP address of the resolver.

By default the total number of entries in the query table is limited and a hard memory limit of 512 MB is enforced on the DNS sensor process. CPU utilization by the DNS sensor tends to be fairly low, even on heavily loaded recursive servers.

Note: A passive DNS sensor requires accurate timestamping. Make sure that the machine you intend to run the sensor on has an NTP client installed and running and that the system time is correct before proceeding.

See also:

If you would like to participate in the Farsight Passive DNS project, please send an email to passivedns@farsightsecurity.com.

Deployment Options

The Farsight Passive DNS sensor works by capturing raw packets from a network interface and reconstructing the DNS transactions that occurred between recursive and authoritative nameservers. Most sensor operators install the sensor directly on the recursive DNS server being monitored. The nameserver implementation does not matter since the sensor captures DNS packets from the server's network interface. The sensor can also be installed on a network monitoring server with access to a network tap of or port mirror of the server's DNS traffic. In the latter case multiple DNS servers may of course be monitored, but both the RX and TX network directions must be monitored since the sensor tracks query/response state.


Debian and Ubuntu

Debian binary packages for both the i386 and amd64 architectures are available from the following location: https://github.com/farsightsec/sie-dns-sensor/tree/master/binaries/0.11.2-1. These packages are compatible with Debian and Ubuntu systems. After downloading the appropriate binary package, it may be installed with the package manager. For example on Debian (amd64) systems and clones:

dpkg -i sie-dns-sensor_0.11.2-1_amd64.deb
Red Hat EL6 or EL7, Scientific Linux, CentOS

Red Hat binary packages for both the i386 and amd64 architectures and compiled separately for the EL6 and EL7 releases available from the following location: https://github.com/farsightsec/sie-dns-sensor/tree/master/binaries/0.11.2-1/. These packages are compatible with RHEL clones such as Scientific Linux and CentOS. After downloading the appropriate binary package, it may be installed with the package manager. For example on Red Hat EL7 (x86_64) systems and clones:

rpm -i sie-dns-sensor-0.11.2-1.el7.x86_64.rpm

Installation on FreeBSD requires some prerequisites to be installed, which are available as official FreeBSD pre-compiled binary packages.

pkg install nmsg wrapsrv bash rsync

Download the latest version of the sie-scripts tarball from the following location: https://dl.farsightsecurity.com/dist/sie-scripts/. Extract the tarball and change into the top-level directory of the extracted tarball and then perform the following steps:

make -f Makefile.freebsd install
cp examples/dns-cache /usr/local/etc/sie/dns-cache
cp initscripts/freebsd/sie_dns_sensor.sh /usr/local/etc/rc.d/sie_dns_sensor
chmod +x /usr/local/etc/rc.d/sie_dns_sensor

Add sie_dns_sensor_enable="YES" to the /etc/rc.conf file, and add an entry to /etc/crontab to peridically run /usr/local/lib/sie/sie-trim-spool

Uploading data to Farsight

The sie-dns-sensor package has a built-in uploader that will send captured data to the Farsight Passive DNS project. The uploader uses an SSH encrypted connection on port 49222 to transfer data. Make sure that no firewall rules prevent outbound connections on this port to Farsight's servers. The upload keypair is stored in the /var/spool/sie/keys directory in the files upload (private key) and upload.pub (public key). Run the sie-gen-key command to generate a keypair. If sie-dns-sensor is installed on multiple servers, please copy the same keypair to each server instead of creating a separate keypair for each server.

Email the public key (i.e. the /var/spool/sie/keys/upload.pub file) as an attachment to passivedns@farsightsecurity.com and include the IPv4 and/or IPv6 addresses that your sensor(s) will inititiate data uploads from. Farsight will assign you a username and will indicate what channel the data should be uploaded to.


sie-dns-sensor requires further configuration after installation.

Open the /etc/default/sie-dns-sensor file (/usr/local/etc/sie/dns-cache and /usr/local/etc/sie/config on FreeBSD). Set the login variable to the username assigned by Farsight. Set the channel variable to the channel that Farsight indicates that you should use.

If necessary, edit the interface variable, which specifies the network interface on which to monitor DNS traffic. By default the "promiscuous" capture mode is not enabled. Append a "+" character to the interface name to enable promiscuous mode. Promiscuous mode is required when monitoring a network tap.

The DNSQR_RES_ADDRS variable must also be set to a list of one or more comma-separated IP addresses or network prefixes to be monitored. Some example values for this variable are:

  • A single server with one address:

  • Multiple addresses:

  • An IPv4 address and an IPv6 address:

    DNSQR_RES_ADDRS=", 2001:db8::53"
  • An entire IPv4 subnet:

  • An IPv4 subnet and an IPv6 subnet:

    DNSQR_RES_ADDRS=", 2001:db8::/64"

By default the uploader will remove successfully uploaded data files. For debugging purposes, uploading can be disabled by setting upload="no" in the config file. Additionally, data files can be saved to disk by setting archive="yes", in which case the rotated data files will be saved to the /var/spool/sie/archive directory.

The uploader sends log messages to syslog with an sie: prefix upon upload success or failure. The syslog priority can be configured by setting the syslog_priority config variable.

The max_spool_size_kbytes configuration setting can be used to limit the amount of space consumed by data in the spool directory so that the disk does not completely fill if uploads fail for an extended period of time. There is no limit if this is not set. This limit is enforced by the sie-trim-spool command.

The memory_ulimit_kbytes configuration setting is used to limit the amount of memory used by nmsgtool and its descendent processes. On Linux, the default is 524288 if not set. This variable must be set for sie-scripts on FreeBSD, otherwise the memory usage is not limited.

These configuration variables may also optionally be set to control data collection:

  • DNSQR_ZERO_RESOLVER_ADDRESS: if set to "1", the address of the resolver will be zeroed (set to or :: depending on address family) in the saved output data.
  • DNSQR_FILTER_QNAMES_EXCLUDE: may be set to a list of colon-separated domain names. Any payload whose qname matches a domain in the exclude filter list or a subdomain of any domain in the exclude filter list will be excluded from the saved output data.
  • DNSQR_FILTER_QNAMES_INCLUDE: may be set to a list of colon-separated domain names. Any payload whose qname matches a domain in the include filter list or a subdomain of any domain in the include filter list will be included in the saved output data. The include filter list is processed before the exclude filter list.

These configuration variables must also be set in the config file. Their expected default values are shown in brackets.

  • spooldir: ["/var/spool/sie"] the directory where output files are spooled before being uploaded.
  • uploadkey: ["/var/spool/sie/keys/upload"] the ssh key to use for uploading.
  • maxper: [16] the maximum number of output files to upload at once.

Starting and stopping the service

sie-dns-sensor uses the standard init system on Linux and FreeBSD, and will be configured automatically to start at boot and stop at shutdown.


To start the sensor, run:

service sie-dns-sensor start

To stop the sensor, run:

service sie-dns-sensor stop

To restart the sensor, run:

service sie-dns-sensor restart

To start the sensor, run:

service sie_dns_sensor start

To stop the sensor, run:

service sie_dns_sensor stop

To restart the sensor, run:

service sie_dns_sensor restart


Debian and Ubuntu

Use the package manager to uninstall the sie-dns-sensor package:

dpkg -P sie-dns-sensor
Red Hat EL5 or EL6, Scientific Linux, CentOS

Use the package manager to uninstall the sie-dns-sensor package:

rpm -e sie-dns-sensor
rm -f /etc/default/sie-dns-sensor.rpmsave

Delete the files installed by sie-scripts:

rm -r /usr/local/etc/sie
rm /usr/local/etc/rc.d/sie_dns_sensor
rm -r /usr/local/lib/sie

Use the pkg delete command to remove any of the prerequisite packages that were installed and which are not needed for other purposes on the machine.


Additionally, the /var/spool/sie directory will need to be removed manually.

Note on source code

The Linux sie-dns-sensor binary package contains components from nmsg and other open source projects. The build scripts and artifacts used to produce the sie-dns-sensor binary package are available from the Github sie-dns-sensor repository.

Note on nmsg

The sie-dns-sensor binary packages for Debian and Red Hat include a stripped down version of the libnmsg library and nmsgtool utility specially tailored for the passive DNS sensor software role. As of sie-dns-sensor version 0.7.3-1, these components are installed in a dedicated path, either /usr/lib/sie-dns-sensor or /usr/lib64/sie-dns-sensor depending on platform, and will not conflict with an installation of nmsg on the same system.

For the latest fully-featured binary packages of libnmsg, nmsgtool, and related components, see the Security Information Exchange (SIE) on Debian, Security Information Exchange (SIE) on CentOS / RHEL, and Security Information Exchange (SIE) on FreeBSD pages.