Man page - radns(1)

Packages contains this manual

Package:  argus-client
apt-get install argus-client

Manuals in package:
• rasort(1)
• ra(1)
• radium.conf(5)
• rapolicy(1)
• racompare(1)
• ralabel.conf(5)
• rafilteraddr(1)
• rastrip(1)
• racolor.conf(5)
• rahisto(1)
• rasplit(1)
• rasql(1)
• ragrep(1)
• rabins(1)
• ratop(1)
• ranonymize(1)
• racluster(1)
• raevent(1)
• rasqlinsert(1)
• racount(1)
• radump(1)
• raconvert(1)
• radecode(1)
• ra.conf(5)
• rarc(5)
• rastream(1)
• rasqltimeindex(1)
• radns.conf(1)
• ratrace(1)
• ramanage.conf.5(5)
• ragen(1)
• radium(8)
• ramanage(1)
• racluster.conf(1)
• ralabel(1)
• rapath(1)
• ranonymize(5)
• radns(1)
• ragraph(1)
• rasqlcheckconf(1)
Documentations in package:
• argus-client

Manual

RADNS

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
CONFIGURATION
INVOCATION
COPYRIGHT
SEE ALSO
FILES
AUTHORS
BUGS

---

NAME

radns - process DNS data from argus(8) data streams / files.

SYNOPSIS

radns [ raoptions ] [ -- filter-expression ]

DESCRIPTION

Radns reads argus data from an argus-data source, and extracts and tracks DNS transaction data from the argus data records. radns is a flow record labeler, and can be configured to label flow records with the dns names of the saddr and daddr addresses seen in the outer IP DSR of flow records. As a result, radns can be a stage in an argus data flow stream, enhancing real-time flow records with DNS metadata.

OPTIONS

Radns, like all ra based clients, supports a number of ra options including filtering of input argus records through a terminating filter expression, and the ability to specify the output style, format and contents for printing data. See ra(1) for a complete description of ra options . radns(1) specific options are:
-M modes

Supported modes are:

json

Print the DNS transaction data in json format.

CONFIGURATION

radns(1) can be configured using a radns.conf(5) configuration file. See radns.conf(5) for a complete description of radns configuration options .

INVOCATION

A sample invocation of radns(1) . This call reads argus(8) data from inputfile and prints the DNS transaction content as it is read from the argus(8) data.

% radns -R /usr/local/argus/archive/*/en0/2024/02/05/*.05.10.0* -N 1200
02/05.05:12:50.506561: AAAA? KitAppTV.local. :
02/05.05:14:30.116963: AAAA? qosient.mail.pairserver.com. : SOA pairserver.com. ns1.pair.com. root.pair.com. 2024020506 3600 300 604800 7200
02/05.10:01:06.404054: PTR? lb._dns-sd._udp.0.129.37.10.in-addr.arpa. : SOA 10.in-addr.arpa. prisoner.iana.org. hostmaster.root-servers.org. 1 604800 60 604800 604800
apophis:argus-clients-5.0 carter$ bin/radns -M json -R /usr/local/argus/archive/*/en0/2024/02/05/*.05.10.0* -N 1250
02/05.05:12:50.506561: AAAA? KitAppTV.local. :
02/05.05:14:30.116963: AAAA? qosient.mail.pairserver.com. : SOA pairserver.com. ns1.pair.com. root.pair.com. 2024020506 3600 300 604800 7200
02/05.10:01:06.404054: PTR? lb._dns-sd._udp.0.129.37.10.in-addr.arpa. : SOA 10.in-addr.arpa. prisoner.iana.org. hostmaster.root-servers.org. 1 604800 60 604800 604800
02/05.10:01:45.717174: Type65? init.push.apple.com. : CNAME init.push.apple.com. init.push-apple.com.akadns.net. SOA akadns.net. internal.akadns.net. hostmaster.akamai.com. 1629813934 90000 90000 90000 180
02/05.10:01:45.717302: AAAA? init.push.apple.com. : AAAA init.push-apple.com.akadns.net. 2620:149:208:430a::4[28],2620:149:208:430e::4[28],2620:149:208:430c::4[28],2620:149:208:430b::4[28],2620:149:208:430d::4[28] CNAME init.push.apple.com. init.push-apple.com.akadns.net.
02/05.10:01:45.717432: A? init.push.apple.com. : A init.push-apple.com.akadns.net. 17.188.179.2[16],17.188.178.2[16],17.188.178.226[16],17.188.178.34[16],17.188.143.158[16],17.188.143.157[16],17.188.179.34[16],17.188.143.187[16] CNAME init.push.apple.com. init.push-apple.com.akadns.net.
02/05.10:01:45.736437: Type65? init.push-apple.com.akadns.net. : SOA akadns.net. internal.akadns.net. hostmaster.akamai.com. 1629813934 90000 90000 90000 180

A sample invocation of radns(1) . This call reads argus(8) data from inputfile and uses the -q option to suppress DNS transaction reporting. radns(1) caches its DNS server, clients and transaction data in memory, and when finished reading data, resolve queries about the data.

In this example, it reads a days of data and looks up references to a specific DNS query, printing its output as json data.

% radns -M json -R /usr/local/argus/archive/*/en0/2024/02/05 -qM search:qosient.com.
{ "name":"qosient.com.", "ref":"3", "stime":"1707147521","ltime":"1707183149", "addr":[ "216.92.14.146" ], "server":[ "2603:7000:c00:b053:ea9f:80ff:fe85:5cc5" ], "client":[ "2603:7000:c00:b053:987f:ad32:81c:e70f", "2603:7000:c00:b053:f9f2:6d70:ff9c:48d7" ] }

COPYRIGHT

Copyright (c) 2000-2024 QoSient. All rights reserved.

SEE ALSO

radns.conf(5), ra(1), rarc(5), argus(8),

FILES

AUTHORS

Carter Bullard (carter@qosient.com).

BUGS

---