[dnscap-users] New plugin type and anonymization plugin

Jerry Lundström jerry at dns-oarc.net
Wed Nov 21 14:39:28 UTC 2018

Hi all,

I've just pushed some changes to dnscap develop branch which adds a type
indicator for the plugins and a new type called "filter".

This plugin is called before any output from dnscap is made so it allows
a plugin to filter out packet/DNS and with a new extension called
"set_iaddr" plugins can also change some data in the packet/DNS.

With this I created a new plugin called "anonmask" which masks part of
the IP address based on a netmask, here is an example on how it masks
IPv6 address to a /16:

$ src/dnscap -g -r ~/1qr.pcap -P anonmask.so -4 16
[56] 2016-10-20 15:23:01.075993 [#0 1qr.pcap 4095] \
	[].53199 [].53  \
	dns QUERY,NOERROR,59311,rd \
	1 google.com,IN,A 0 0 0

anonmask.so options:
	-?            print these instructions and exit
	-c            Only mask clients (port != 53)
	-s            Only mask servers (port == 53)
	-p <port>     Set port for -c/-s masking, default 53
	-4 <netmask>  The /mask for IPv4 addresses, default /24
	-6 <netmask>  The /mask for IPv6 addresses, default /48

Hope to hear some feedback on this!

There will be more anonymization plugins coming thanks to funding by
Verisign(!), they will be based on the recommendations in RSSAC040 [1].


[1] https://www.icann.org/en/system/files/files/rssac-040-07aug18-en.pdf

More information about the dnscap-users mailing list