Skip to content
4Quarks edited this page Mar 6, 2025 · 45 revisions

pDNSSOC is a minimalistic component allowing DNS data to be centrally collected, and correlated with malicious domains / IPs from a MISP instance.

Installation overview

A complete pDNSSOC deployment requires:

  • Access to a MISP instance (URL + API key are needed)
  • A source of DNS data, for example:
    • a DNS server with a dns-collector sender
    • dnstap files (typically rsync'ed of SSH)
  • A pDNSSOC server: a dns-collector receiver + pDNSSOC

pDNSSOC server

dns-collector receiver

  1. Create the user that will run the service:

    sudo useradd --system --no-create-home --shell /usr/sbin/nologin dnscollector
  2. Define the version of the dns-collector that you want to install:

     DNS_COLLECTOR_VERSION=$(curl -s | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/' | sed 's/^v//')
  3. Install dns-collector

    curl -LO  "${DNS_COLLECTOR_VERSION}/dns-collector_${DNS_COLLECTOR_VERSION}_linux_amd64.tar.gz" && \
    tar xvf "dns-collector_${DNS_COLLECTOR_VERSION}_linux_amd64.tar.gz" && \
    mv go-dnscollector /usr/bin/go-dnscollector
  4. Adjust the permissions for the user and create the directories needed to be able to run dns-collector:

    chmod +x /usr/bin/go-dnscollector
    chcon -t bin_t /usr/bin/go-dnscollector
    setcap cap_net_raw+ep /usr/bin/go-dnscollector
    chown dnscollector:dnscollector /usr/bin/go-dnscollector
    mkdir -p /var/dnscollector /var/dnscollector/alerts /var/dnscollector/queries /var/dnscollector/matches
    touch /var/dnscollector/alerts/matches.json /var/dnscollector/misp_ips.txt /var/dnscollector/misp_domains.txt /var/dnscollector/queries/queries.json /var/dnscollector/alerts_db.txt /var/dnscollector/matches/matches_domains.json /var/dnscollector/matches/matches_ips.json
    chown -R dnscollector:dnscollector /var/dnscollector/
    chmod -R u+rw /var/dnscollector/
  5. Adjust the configuration file, which is automatically generated as config.yml using the following templates:

    mkdir -p /etc/dnscollector 
    curl -o /etc/dnscollector/config.yml
    chown -R dnscollector:dnscollector /etc/dnscollector/
    chmod -R u+rw /etc/dnscollector/ 
    vi /etc/dnscollector/config.yml
  6. Test the configuration file to make sure it doesn't have typos:

    go-dnscollector -config /etc/dnscollector/config.yml -test-config
  7. Execute the collector:

Configure the collector as a service:

 curl -o /etc/systemd/system/dnscollector.service
 systemctl daemon-reload
 systemctl start dnscollector
 systemctl enable dnscollector

For debugging purposes, it is possible to start dns-collector manually

 go-dnscollector -config /etc/dnscollector/config.yml
  1. Ensure that the collecting port set in the configuration file is accessible and the port open. For example:
    sudo firewall-cmd --zone=public --add-port=7001/tcp --permanent
    sudo firewall-cmd --zone=public --add-port=7001/udp --permanent
    sudo firewall-cmd --reload


  1. Create the pdnssoc directory.

    mkdir /etc/pdnssoccli
  2. Install pdnssoc-cli

    pip3 install git+
  3. Create the pdnssoccli configuration file (pdnssoccli.yml) under /etc/pdnssoccli and modify it based on the pdnssoccli template. For details, see the configuration documentation.

    curl -o /etc/pdnssoccli/pdnssoccli.yml
    chown -R dnscollector:dnscollector /etc/pdnssoccli
    vi /etc/pdnssoccli/pdnssoccli.yml
  4. Create the cronjob to automate correlation and alerting:

    curl -o /etc/cron.d/pdnssoccli
    systemctl reload crond

dns-collector sender (DNS server side)

  1. Create the user that will run the service:

    sudo useradd --system --no-create-home --shell /usr/sbin/nologin dnscollector
  2. Define the version of the dns-collector that you want to install:

     DNS_COLLECTOR_VERSION=$(curl -s | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/' | sed 's/^v//')
  3. Install dns-collector

    curl -LO  "${DNS_COLLECTOR_VERSION}/dns-collector_${DNS_COLLECTOR_VERSION}_linux_amd64.tar.gz" && \
    tar xvf "dns-collector_${DNS_COLLECTOR_VERSION}_linux_amd64.tar.gz" && \
    mv go-dnscollector /usr/bin/go-dnscollector
  4. Adjust the permissions for the user and create the directories needed to be able to run dns-collector:

    chmod +x /usr/bin/go-dnscollector
    chcon -t bin_t /usr/bin/go-dnscollector
    setcap cap_net_raw+ep /usr/bin/go-dnscollector
    chown dnscollector:dnscollector /usr/bin/go-dnscollector
    mkdir -p /var/dnscollector
    chown -R dnscollector:dnscollector /var/dnscollector/
    chmod -R u+rw /var/dnscollector/
  5. Adjust the configuration file, which is automatically generated as config.yml using the following templates:

    mkdir -p /etc/dnscollector 
    curl -o /etc/dnscollector/config.yml
    chown -R dnscollector:dnscollector /etc/dnscollector/
    chmod -R u+rw /etc/dnscollector/ 
    vi /etc/dnscollector/config.yml
  6. Test the configuration file to make sure it doesn't have typos:

    go-dnscollector -config /etc/dnscollector/config.yml -test-config
  7. Execute the collector:

Configure the collector as a service:

 curl -o /etc/systemd/system/dnscollector.service
 systemctl daemon-reload
 systemctl start dnscollector
 systemctl enable dnscollector

For debugging purposes, it is possible to start dns-collector manually

 go-dnscollector -config /etc/dnscollector/config.yml

Testing and debugging pDNSSOC

  • Check if the service is running and its logs:
# systemctl status dnscollector
# journalctl -u dnscollector -f
  • Check if the process is running:
# ps -aux | grep dnscollector
dnscoll+   37571  0.0  1.1 1395372 40108 ?       Ssl  May23   2:03 /usr/bin/dns-collector -c /etc/dnscollector/config.yml
  • Check if the connection has been established. We will use the port 7001 as example:

    A. From the DNS sensor:

    # netstat -putan | grep 7001
    tcp        0      0 IP_DNS:59450            IP_PDNSSOC:7001         ESTABLISHED 37571/dns-collector 

    B. From pDNSSOC:

    # netstat -putan | grep 7001
    tcp6       0      0 :::7001                 :::*                    LISTEN      19378/dns-collector 
    tcp6       0      0 IP_PDNSSOC:7001         IP_DNS:59450            ESTABLISHED 19378/dns-collector
  • Check if the pDNSSOC collector is receiving logs:

# tail /var/dnscollector/queries.json
# tcpdump -i eth0 -A port 7001
  • Check the location where pDNSSOC was installed:
# pip show pdnssoc-cli
  • Verify that the pDNSSOC command line tool works
# pdnssoc-cli fetch-iocs
# pdnssoc-cli correlate
# pdnssoc-cli alert
  • Verify that pdnssoccli.yml has a right format
# pip install yamllint
# yamllint /etc/pdnssoccli/pdnssoccli.yml
  • Check if the IOCs could be fetched from MISP
# tail /var/dnscollector/misp_domains.txt 
# tail /var/dnscollector/misp_ips.txt 
  • Test a malicious domain resolution to check that the alerts are created. You can use any domain from the misp_domains.txt,
# dig @IP_DNS
# cat /var/dnscollector/queries.json | grep

Getting alerts


  • You just need to download the template from github and put it in /etc/pdnssoccli as a file called alert_email.html


  • Add your webhook to the /etc/pdnssoccli/pdnssoccli.yml file (template can be found here)
    • It is now tested for Slack and Mattermost
    • You use templates of the messages
    • Under the 'alerting' header, add the following configuration:
        hook: ""
        template: "/etc/pdnssoccli/slack.template"
        hook: ""
        template: "/etc/pdnssoccli/mattermost.template"


  • Create a telegram bot which will be used for the pDNSSOC alerts:

    • Search for 'BotFather' in telegram and write '/newbot' in the chat

    • Follow the instructions and keep note of the API key given to you once the bot is created

    • Once the bot has been added, find the telegram channel ID. You can use the following script:

      import requests
      bot_token = 'API_TOKEN'
      response = requests.get("{bot_token}/getUpdates")
      data = response.json()
      if data['result']:
          for result in data['result']:
              print("Chat ID: ", result['message']['chat']['id'])
  • Now that you have your telegram bot and API key, you need to change the configuration file of your pdnssoc-cli program:

    • Add the following under the 'alerting' tab of the pdnssoc-cli config file (/etc/pdnssoccli/pdnssoccli.yml):
          telegram_chat_id: <your_telegram_chat_ID>
          telegram_bot_token: <your_telegram_bot_API_key>
          template: "/etc/pdnssoccli/telegram.template"
  • You can test this has worked by trying to send an alert using the command pdnssoc-cli alert

Updating the pDNSSOC version

  • If you have already installed pdnssoc-cli on your machine you will need to run the commands below to update it:

    git clone
    cd pdnssoc-cli/
    python3.11 -m pip install --force-reinstall .

DNS Server (for testing)

To set up a test environment, you can easily deploy a Bind9 DNS server by following the steps outlined below. Please note that the provided template and installation instructions are intended for testing purposes only and are NOT suitable for a production environment. For best practices and production setups, please refer to the Official Documentation.

  1. Install Bind9
    dnf copr enable isc/bind
    yum install isc-bind
  2. Create log directory and edit the name.conf file using the template
    mkdir -p /var/log/named 
    chown named:named /var/log/named 
    curl -o /etc/opt/isc/scls/isc-bind/named.conf
    vim /etc/opt/isc/scls/isc-bind/named.conf
    chown named:named /etc/opt/isc/scls/isc-bind/named.conf
    sudo -u named /opt/isc/isc-bind/root/usr/bin/named-checkconf /etc/opt/isc/scls/isc-bind/named.conf
  3. Start and enable the DNS service
    systemctl start isc-bind-named
    systemctl enable isc-bind-named
    systemctl status isc-bind-named
  4. Open the internal firewall if you want to resolve domains from other instances
    systemctl start firewalld
    systemctl enable firewalld
    firewall-cmd --permanent --add-service=dns
    firewall-cmd --reload
    firewall-cmd --list-all

Test installation

  • Check that the DNS can resolve domains.
host1# dig @IP_DNS
dns# /opt/isc/isc-bind/root/usr/bin/dnstap-read /var/log/named/dnstap.log 
27-May-2024 17:57:01.255 CQ IP_HOST1:47263 -> IP_DNS:53 UDP 49b