Skip to content

epanchee/dns_mirror

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits

build

build

 
 

src

src

 
 

Cargo.lock

Cargo.lock

 
 

Cargo.toml

Cargo.toml

 
 

Cross.toml

Cross.toml

 
 

README.md

README.md

 
 

Repository files navigation

DNS traffic mirroring tool (dns-mirror)

Description

Userspace libpcap-based tool. dns-mirror sniffs dns packets on the given interface and proxies it to the given address on port 53.

Why?

It can be useful for monitoring purposes in your private network. The advantage of this tool is that you do not need to inject it in the middle of your network and cause probable fault. It works from the side just as a mirror.

How to run

You need superuser rights to run dns-mirror.

sudo dns-mirror -d br0 -i 10.30.1.100

Example

dns-mirror --help
DNS traffic mirroring daemon 0.1.0

USAGE:
    dns-mirror [FLAGS] [OPTIONS] --dev <dev> --ip <ip>

FLAGS:
    -h, --help       Prints help information
    -V, --version    Prints version information
        --verbose    Show debug messages

OPTIONS:
    -d, --dev <dev>      Device to sniff
    -i, --ip <ip>        DNS server IP
    -p, --port <port>    DNS server port. Default: 53
~ # dns-mirror -d br0 -i 10.30.1.100  --verbose
 2021-12-05T14:02:28.440Z DEBUG dns_mirror > Dns from 10.30.1.43 mirrored to 10.30.1.100:53
 2021-12-05T14:02:28.833Z DEBUG dns_mirror > Dns from 10.30.1.38 mirrored to 10.30.1.100:53
 2021-12-05T14:02:49.191Z DEBUG dns_mirror > Dns from 10.30.1.87 mirrored to 10.30.1.100:53
 2021-12-05T14:03:26.595Z DEBUG dns_mirror > Dns from 10.30.1.98 mirrored to 10.30.1.100:53
 ...

Limitations

  • If you want to monitor all users then you have to connect all interfaces to the bridge and sniff on it (on most routers it is default).
  • At the moment dns sniffs only udp packets sent to dst port 53. Thus, it does not monitor tricky users who use customized dns requests.
  • As well as it can not sniff DoH/DoT requests.
  • TCP DNS requests are not covered yet
  • It does not check that the received packet is actually DNS-packet.

Build

The project was successfully built and launched on MediaTek MT7621 SoC (MIPS 1004Kc V2.15)
Repository is supplied with custom Docker image and Cross.toml to build libpcap for mipsel-unknown-linux-gnu arch. Use powerful cross to build it.

How to build

( cd build; docker build -t crossbuild_mipsel:local . )

cat >> cat ~/.cargo/config
[target.mipsel-unknown-linux-gnu]
rustflags = ["-C", "target-feature=+crt-static", "-lpcap"]

cross build --target mipsel-unknown-linux-gnu --release

About

Userspace libpcap-based tool to mirror your dns traffic

Resources

Readme
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Languages