parse-questions: parse question(s) and domain from DNS query

Description

Parse question(s) from DNS queries in PCAP.

This is the first tool in the respdiff query filter toolchain. It's purpose is to extract DNS questions and domains from raw PCAP and store them into respdiff's LMDB in a format suitable for the rest of the toolchain.

Example

respdiff-rs [--lmdb <ENVDIR>] parse-questions --input STDIN|FILE

Input

PCAP

Output

LMDB `nssets`

A list of nameserver domains for a given domain.
Format: domain = <NS1_domain><NS2_domain>...<NS3_domain>

LMDB `questions`

A list of unique questions (assured by key = question)
Format: (qname,qtype,qclass) = None

Operation

for each question in DNS query
- parse qname, qtype, qclass
- if qname not in LMDB nssets
  - add qname = None to LMDB nssets
- if (qname,qtype,qclass) not in LMDB questions
  - add (qname,qtype,qclass) = None to LMDB questions

Edited Dec 12, 2022 by Nicki Křížek

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message