Passive DNS collection and monitoring built with Golang, Clickhouse and Grafana: dnsmonster
implements a packet sniffer for DNS traffic. It can accept traffic from a pcap
file, a live interface or a dnstap
socket, and can be used to index and store thousands of DNS queries per second (it has shown to be capable of indexing 200k+ DNS queries per second on a commodity computer). It aims to be scalable, simple and easy to use, and help security teams to understand the details about an enterprise’s DNS traffic. dnsmonster
does not look to follow DNS conversations, rather it aims to index DNS packets as soon as they come in. It also does not aim to breach the privacy of the end-users, with the ability to mask source IP from 1 to 32 bits, making the data potentially untraceable. Blogpost
IMPORTANT NOTE: The code before version 1.x is considered beta quality and is subject to breaking changes. Please check the release notes for each tag to see the list of breaking scenarios between each release, and how to mitigate potential data loss.
Main features
afpacket
and zero-copy packet capture.fqdn
s to avoid writing some domains/suffix/prefix to storage, thus improving DB performanceRelated projects