Up-to-date: 2023-12-11.
python3 PcapXXXXX.py --helpSudo is required for PcapReplay, because of packets sniffing.
Generally, one wants to run the whole pipeline. In this case, refer to the README in the parent directory.
Configuration files are limited to static information used for all files. Dynamic parameters are passed through CLI (cf. --help).
{
"resolvers":{
"doh": [
{
"name": "Cloudflare",
"endpoint": "1.1.1.1",
"up_index": 3,
"down_index": 5
},
],
},
"padding_strategies": {
"padding_no_padding": [0],
"padding_128_bytes": [128],
"padding_random_block": [128,256,384,512]
},
}Each resolver must have:
name;endpoint(IP address or URL, such ashttps://dns.quad9.net/dns-query). It is later converted as IP addres(ses);up_index: the index of the TLS Application Data message corresponding to the DNS request;down_index: the index of the TLS Application Data message corresponding to the DNS answer.
Indexes start at 0. Current values were found using wireshark.
It is possible to target DoT, such as:
{
"resolvers":{
"doh": [],
"dot": [],
}
}Used for:
- replaying packets
- extracting features
- ML
- figure generation
{
"max_nb_replayed": 30, // Number of DNS requests replayed per pcap file
"max_nb_retries": 5 // Number of times to retry a failing request
}{
"max_nb_query": 30, // Maximum number of DNS queries studied for each replayed file
"length_multiplier": 2, // Multipler used for the length (2 because we're saving the DNS query length and the answer length)
"qname_types": { // used for clear-text DNS, legacy
"complete": 0,
"4": 0,
"3": 0
},
"mac_addresses_config": "./scripts/configs/devices.sh" // The file containing a hash table of device name -> mac address
} You may wonder why there is a copy of dnspython in the pcap_manipulation/dns/ folder. I'm happy you're curious like that.
All of this comes from wanting to replay DNS packets as DoH/DoT at the same HH:MM they were initially sent (so if a Do53 packet was sent at 3am, it is replayed as DoH / DoT at 3am).
Long story short, I had to patch the DNSPython library so the trio async backend could re-use a socket previously opened. Also, I was really tired at that point so I didn't use a git submodule.
A previously opened socket, you said? We reserve a local port by opening a socket. Then, we close the socket and quickly use the same port to proceed with the DoH/DoT request. If we do not set SO_REUSEADDR, the OS do not let us re-use the socket.
Why do we need to play with ports like that? Because ports are used to:
- Filter the sniffed traffic over the network interface and to select only traffic relevant to the currently replayed DNS-as-DoH packet.
- Identify which padding strategy was used.
What do you mean, you can't know the padding strategy? The traffic is encrypted: there is no way of knowing for sure a given packet was or was not padded. As decrypting everything is costly, ranges of ports are selected, corresponding to each padding strategy. So now, we know that ports 32768 - 32800 have no padding, and 32801 - 32900 do.
Why use trio and not asyncio as backend? Because dnspython does not support the local_port setting when using asyncio as a backend. Life is fun like that sometimes.