[dnscap-users] New plugin type and anonymization plugin
Jerry Lundström
jerry at dns-oarc.net
Wed Nov 21 14:39:28 UTC 2018
Hi all,
I've just pushed some changes to dnscap develop branch which adds a type
indicator for the plugins and a new type called "filter".
This plugin is called before any output from dnscap is made so it allows
a plugin to filter out packet/DNS and with a new extension called
"set_iaddr" plugins can also change some data in the packet/DNS.
With this I created a new plugin called "anonmask" which masks part of
the IP address based on a netmask, here is an example on how it masks
IPv6 address to a /16:
$ src/dnscap -g -r ~/1qr.pcap -P anonmask.so -4 16
[56] 2016-10-20 15:23:01.075993 [#0 1qr.pcap 4095] \
[172.17.0.0].53199 [8.8.0.0].53 \
dns QUERY,NOERROR,59311,rd \
1 google.com,IN,A 0 0 0
anonmask.so options:
-? print these instructions and exit
-c Only mask clients (port != 53)
-s Only mask servers (port == 53)
-p <port> Set port for -c/-s masking, default 53
-4 <netmask> The /mask for IPv4 addresses, default /24
-6 <netmask> The /mask for IPv6 addresses, default /48
Hope to hear some feedback on this!
There will be more anonymization plugins coming thanks to funding by
Verisign(!), they will be based on the recommendations in RSSAC040 [1].
Cheers,
Jerry
[1] https://www.icann.org/en/system/files/files/rssac-040-07aug18-en.pdf
More information about the dnscap-users
mailing list