You must be signed in to change notification settings - Fork 6
pDNSSOC is a minimalistic component allowing DNS data to be centrally collected, and correlated with malicious domains / IPs from a MISP instance.
A complete pDNSSOC deployment requires:
- Access to a MISP instance (URL + API key are needed)
- A source of DNS data, for example:
- a DNS server with a dns-collector sender
files (typically rsync'ed of SSH)
- A pDNSSOC server: a
receiver + pDNSSOC
Create the user that will run the service:
sudo useradd --system --no-create-home --shell /usr/sbin/nologin dnscollector
Define the version of the
that you want to install:DNS_COLLECTOR_VERSION=$(curl -s https://api.github.com/repos/dmachard/dns-collector/releases/latest | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/' | sed 's/^v//')
curl -LO "https://github.com/dmachard/dns-collector/releases/download/v${DNS_COLLECTOR_VERSION}/dns-collector_${DNS_COLLECTOR_VERSION}_linux_amd64.tar.gz" && \ tar xvf "dns-collector_${DNS_COLLECTOR_VERSION}_linux_amd64.tar.gz" && \ mv go-dnscollector /usr/bin/go-dnscollector
Adjust the permissions for the user and create the directories needed to be able to run
:chmod +x /usr/bin/go-dnscollector chcon -t bin_t /usr/bin/go-dnscollector setcap cap_net_raw+ep /usr/bin/go-dnscollector chown dnscollector:dnscollector /usr/bin/go-dnscollector mkdir -p /var/dnscollector /var/dnscollector/alerts /var/dnscollector/queries /var/dnscollector/matches touch /var/dnscollector/alerts/matches.json /var/dnscollector/misp_ips.txt /var/dnscollector/misp_domains.txt /var/dnscollector/queries/queries.json /var/dnscollector/alerts_db.txt /var/dnscollector/matches/matches_domains.json /var/dnscollector/matches/matches_ips.json chown -R dnscollector:dnscollector /var/dnscollector/ chmod -R u+rw /var/dnscollector/
Adjust the configuration file, which is automatically generated as config.yml using the following templates:
mkdir -p /etc/dnscollector curl -o /etc/dnscollector/config.yml https://raw.githubusercontent.com/CERN-CERT/pDNSSOC/main/config/dnscollector/server.yml chown -R dnscollector:dnscollector /etc/dnscollector/ chmod -R u+rw /etc/dnscollector/ vi /etc/dnscollector/config.yml
Test the configuration file to make sure it doesn't have typos:
go-dnscollector -config /etc/dnscollector/config.yml -test-config
Execute the collector:
Configure the collector as a service:
curl -o /etc/systemd/system/dnscollector.service https://raw.githubusercontent.com/CERN-CERT/pDNSSOC/main/config/dnscollector/dnscollector.service
systemctl daemon-reload
systemctl start dnscollector
systemctl enable dnscollector
For debugging purposes, it is possible to start dns-collector
go-dnscollector -config /etc/dnscollector/config.yml
- Ensure that the collecting port set in the configuration file is accessible and the port open. For example:
sudo firewall-cmd --zone=public --add-port=7001/tcp --permanent sudo firewall-cmd --zone=public --add-port=7001/udp --permanent sudo firewall-cmd --reload
Create the pdnssoc directory.
mkdir /etc/pdnssoccli
pip3 install git+https://github.com/safer-trust/pdnssoc-cli.git
Create the pdnssoccli configuration file (
) under/etc/pdnssoccli
and modify it based on the pdnssoccli template. For details, see the configuration documentation.curl -o /etc/pdnssoccli/pdnssoccli.yml https://raw.githubusercontent.com/safer-trust/pdnssoc-cli/refs/heads/main/config/pdnssoccli.yml chown -R dnscollector:dnscollector /etc/pdnssoccli vi /etc/pdnssoccli/pdnssoccli.yml
Create the cronjob to automate correlation and alerting:
curl -o /etc/cron.d/pdnssoccli https://raw.githubusercontent.com/CERN-CERT/pDNSSOC/main/config/pdnssoccli/pdnssoccli.cron systemctl reload crond
Create the user that will run the service:
sudo useradd --system --no-create-home --shell /usr/sbin/nologin dnscollector
Define the version of the
that you want to install:DNS_COLLECTOR_VERSION=$(curl -s https://api.github.com/repos/dmachard/dns-collector/releases/latest | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/' | sed 's/^v//')
curl -LO "https://github.com/dmachard/dns-collector/releases/download/v${DNS_COLLECTOR_VERSION}/dns-collector_${DNS_COLLECTOR_VERSION}_linux_amd64.tar.gz" && \ tar xvf "dns-collector_${DNS_COLLECTOR_VERSION}_linux_amd64.tar.gz" && \ mv go-dnscollector /usr/bin/go-dnscollector
Adjust the permissions for the user and create the directories needed to be able to run
:chmod +x /usr/bin/go-dnscollector chcon -t bin_t /usr/bin/go-dnscollector setcap cap_net_raw+ep /usr/bin/go-dnscollector chown dnscollector:dnscollector /usr/bin/go-dnscollector mkdir -p /var/dnscollector chown -R dnscollector:dnscollector /var/dnscollector/ chmod -R u+rw /var/dnscollector/
Adjust the configuration file, which is automatically generated as config.yml using the following templates:
mkdir -p /etc/dnscollector curl -o /etc/dnscollector/config.yml https://raw.githubusercontent.com/CERN-CERT/pDNSSOC/main/config/dnscollector/client.yml chown -R dnscollector:dnscollector /etc/dnscollector/ chmod -R u+rw /etc/dnscollector/ vi /etc/dnscollector/config.yml
Test the configuration file to make sure it doesn't have typos:
go-dnscollector -config /etc/dnscollector/config.yml -test-config
Execute the collector:
Configure the collector as a service:
curl -o /etc/systemd/system/dnscollector.service https://raw.githubusercontent.com/CERN-CERT/pDNSSOC/main/config/dnscollector/dnscollector.service
systemctl daemon-reload
systemctl start dnscollector
systemctl enable dnscollector
For debugging purposes, it is possible to start dns-collector
go-dnscollector -config /etc/dnscollector/config.yml
- Check if the service is running and its logs:
# systemctl status dnscollector
# journalctl -u dnscollector -f
- Check if the process is running:
# ps -aux | grep dnscollector
dnscoll+ 37571 0.0 1.1 1395372 40108 ? Ssl May23 2:03 /usr/bin/dns-collector -c /etc/dnscollector/config.yml
Check if the connection has been established. We will use the port 7001 as example:
A. From the DNS sensor:
# netstat -putan | grep 7001 tcp 0 0 IP_DNS:59450 IP_PDNSSOC:7001 ESTABLISHED 37571/dns-collector
B. From pDNSSOC:
# netstat -putan | grep 7001 tcp6 0 0 :::7001 :::* LISTEN 19378/dns-collector tcp6 0 0 IP_PDNSSOC:7001 IP_DNS:59450 ESTABLISHED 19378/dns-collector
Check if the pDNSSOC collector is receiving logs:
# tail /var/dnscollector/queries.json
# tcpdump -i eth0 -A port 7001
- Check the location where pDNSSOC was installed:
# pip show pdnssoc-cli
- Verify that the pDNSSOC command line tool works
# pdnssoc-cli fetch-iocs
# pdnssoc-cli correlate
# pdnssoc-cli alert
- Verify that pdnssoccli.yml has a right format
# pip install yamllint
# yamllint /etc/pdnssoccli/pdnssoccli.yml
- Check if the IOCs could be fetched from MISP
# tail /var/dnscollector/misp_domains.txt
# tail /var/dnscollector/misp_ips.txt
- Test a malicious domain resolution to check that the alerts are created. You can use any domain from the misp_domains.txt,
# dig @IP_DNS maliciousdomain.com
# cat /var/dnscollector/queries.json | grep maliciousdomain.com
- You just need to download the template from github and put it in
as a file calledalert_email.html
- Add your webhook to the
file (template can be found here)- It is now tested for Slack and Mattermost
- You use templates of the messages
- Under the 'alerting' header, add the following configuration:
slack: hook: "https://hooks.slack.com/services/your_hook" template: "/etc/pdnssoccli/slack.template" mattermost: hook: "https://hooks.mattermost.com/services/your_hook" template: "/etc/pdnssoccli/mattermost.template"
Create a telegram bot which will be used for the pDNSSOC alerts:
Search for 'BotFather' in telegram and write '/newbot' in the chat
Follow the instructions and keep note of the API key given to you once the bot is created
Once the bot has been added, find the telegram channel ID. You can use the following script:
import requests bot_token = 'API_TOKEN' response = requests.get("https://api.telegram.org/bot{bot_token}/getUpdates") data = response.json() if data['result']: for result in data['result']: print("Chat ID: ", result['message']['chat']['id'])
Now that you have your telegram bot and API key, you need to change the configuration file of your pdnssoc-cli program:
- Add the following under the 'alerting' tab of the pdnssoc-cli config file (
):telegram: telegram_chat_id: <your_telegram_chat_ID> telegram_bot_token: <your_telegram_bot_API_key> template: "/etc/pdnssoccli/telegram.template"
- Add the following under the 'alerting' tab of the pdnssoc-cli config file (
You can test this has worked by trying to send an alert using the command
pdnssoc-cli alert
If you have already installed pdnssoc-cli on your machine you will need to run the commands below to update it:
git clone https://github.com/safer-trust/pdnssoc-cli.git cd pdnssoc-cli/ python3.11 -m pip install --force-reinstall .
To set up a test environment, you can easily deploy a Bind9 DNS server by following the steps outlined below. Please note that the provided template and installation instructions are intended for testing purposes only and are NOT suitable for a production environment. For best practices and production setups, please refer to the Official Documentation.
- Install Bind9
dnf copr enable isc/bind yum install isc-bind
- Create log directory and edit the
file using the templatemkdir -p /var/log/named chown named:named /var/log/named curl -o /etc/opt/isc/scls/isc-bind/named.conf https://raw.githubusercontent.com/CERN-CERT/pDNSSOC/main/config/test_lab/named.conf vim /etc/opt/isc/scls/isc-bind/named.conf chown named:named /etc/opt/isc/scls/isc-bind/named.conf sudo -u named /opt/isc/isc-bind/root/usr/bin/named-checkconf /etc/opt/isc/scls/isc-bind/named.conf
- Start and enable the DNS service
systemctl start isc-bind-named systemctl enable isc-bind-named systemctl status isc-bind-named
- Open the internal firewall if you want to resolve domains from other instances
systemctl start firewalld systemctl enable firewalld firewall-cmd --permanent --add-service=dns firewall-cmd --reload firewall-cmd --list-all
- Check that the DNS can resolve domains.
host1# dig @IP_DNS maliciousdomain.com
dns# /opt/isc/isc-bind/root/usr/bin/dnstap-read /var/log/named/dnstap.log
27-May-2024 17:57:01.255 CQ IP_HOST1:47263 -> IP_DNS:53 UDP 49b maliciousdomain.com/IN/A