Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/netrack/dnstun
DNSTun is a CoreDNS plugin for detecting DNS tunneling
https://github.com/netrack/dnstun
coredns-plugin dns dns-tunneling-detection
Last synced: 18 days ago
JSON representation
DNSTun is a CoreDNS plugin for detecting DNS tunneling
- Host: GitHub
- URL: https://github.com/netrack/dnstun
- Owner: netrack
- License: mit
- Created: 2019-10-04T13:00:40.000Z (about 5 years ago)
- Default Branch: master
- Last Pushed: 2020-03-29T15:20:36.000Z (over 4 years ago)
- Last Synced: 2024-06-20T16:35:59.512Z (6 months ago)
- Topics: coredns-plugin, dns, dns-tunneling-detection
- Language: Go
- Homepage:
- Size: 63.5 KB
- Stars: 4
- Watchers: 3
- Forks: 0
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# dnstun
_dnstun_ - enable DNS tunneling detection in the service queries.
[![Build Status][BuildStatus]](https://travis-ci.org/netrack/dnstun)
## Description
This is a [CoreDNS](https://coredns.io) plugin that enabled DNS tunneling
detection within submitted queries. It analyzes payload of the DNS query
and either forward the query to the configured resolver (`8.8.8.8` by default),
or returns refuse code.With `dnstun` enabled, users are able to detect data exfiltration through DNS
tunnels.## Syntax
```txt
dnstun {
runtime HOST:PORT
detector DETECTOR:VERSION
[mapping forward|reverse]
}
```* `runtime` specifies the endpoint in `HOST:PORT` format to the remote model
runtime. This runtime should comply with e.g. `tensorcraft` HTTP interface.* `detector` is a directive to configure detector. Option `forward` instructs
the plugin to treat higher probability in the second element of prediction tuple
as DNS tunnel, while `reverse` tells that first element in the prediction tuple
identifies DNS tunnel.* `mapping` is an optional directive to instructs plugin how interpret the
response from detector: `forward` treats higher probability in the _second_
element of prediction tuple as DNS tunnel, while `reverse` tells that _first_
element in the prediction tuple identifies DNS tunnel. Default is `forward`.## Examples
Here are the few basic examples of how to enable DNS tunnelling detection.
Usually DNS tunneling detection is turned only for all DNS queries.Analyze all DNS queries through remote resolver listening on TCP socket.
```txt
. {
dnstun {
# Connect to the runtime that stores model and executes it.
runtime 10.240.0.1:5678# Choose detector and it's version.
detector dns_cnn:latest
}
}
```## Usage
One of the possible ways to run experimental resolver is to use [docker-compose](https://github.com/docker/compose).
In order to run the environment, simply clone this repository and run the following
command:
```sh
% git clone [email protected]:netrack/dnstun.git
% docker-compose up
```After that, resolver will be accessible at port `53`:
```sh
% dig @localhost google.com
% dig @localhost q+aJ3on2BA.hidemyself.org.
```[BuildStatus]: https://travis-ci.org/netrack/dnstun.svg?branch=master