[dns-operations] A quick question for my peers re: 'dnscap'

Jerry Lundström jerry at dns-oarc.net
Sat Feb 3 07:43:46 UTC 2018

Hi Jake,

On Fri, 2018-02-02 at 20:54 +0000, Jake Zack wrote:
> Robert and I took this discussion off-list briefly.
> He had me turn on dumptrace (-d flag) to analyze the BPF expression being
> used....
> > dnscap: "( ( ip[6:2] & 0x1fff != 0 or ip6[6] = 44 ) or ( ( ( tcp port 53 )
> > or ( udp port 53) )  and host ( 2001:500:a7::2 or )) )"
> In English this is saying "(any IPv4/IPv6 fragments) or (your host and
> tcp/udp port 53)".

So this is because that script uses '-f', which selects fragments also.

> So I guess I'm asking the community now if this is worth a bug report and/or
> feature request...

Since this is more related to the capturing script distributed for DITL then
dnscap, I would suggest you continue this discussion on the DITL mailing list.
If your not on it, reach out to William to join it.

As for bug or not, maybe it could be made optional or at least documented so it
is easier to understand what is captured using the DITL scripts.

> ...and further, to gather opinions on the question "If an IP fragment
> contains no question, but acknowledges the asking of a question from a
> particular source, is that still private data that will run the risk of
> running afoul of various privacy laws?

That would depend on your countries laws, in some even IP addresses are
considered identifiable information.


More information about the dns-operations mailing list