This post will show how Qosient Argus can be used to capture DNS queries passing in clear text over TCP or UDP port 53.
Another usage scenario of this functionality is to capture certificates when an encrypted channel is being established (e.g. HTTPS).
Argus
Qosient Argus is “the most widely used open source network flow system.” Having similarities with Netflow, JFlow, Sflow, IPDR, and YAF/SiLK; Argus can capture a limited amount of data from the stream.
For more information about Argus see: https://www.qosient.com/argus/
Overview
The target system is a gateway running OpenBSD 6.4 GENERIC.MP#364 amd64
. DNS (Unbound) is running on the system and made available via an alias on the internal interface. Two argus daemons will be setup:
argus0
– capture all flows traversing the gateway.argus1
– capture only DNS queries.
Installation
# pkg_add -i argus
quirks-3.16 signed on 2018-10-12T15:26:25Z
quirks-3.16: ok
argus-3.0.8.2p1: ok
The following new rcscripts were installed: /etc/rc.d/argus
See rcctl(8) for details.
Configuration
When capturing user data it’s best to create a separate daemon. This minimizes data collection since the ARGUS_FILTER
variable can be used to target the desired user data.
Backup the original configuration since it contains much documentation.
mv /etc/argus.conf /etc/argus.conf.orig
Create configuration for argus0
. It will be the default flow collector on the internal interface fxp1
which serves as the gateway.
vi /etc/argus0.conf
Copy/paste the following into /etc/argus0.conf
ARGUS_FLOW_TYPE="Bidirectional" ARGUS_FLOW_KEY="CLASSIC_5_TUPLE+LAYER_2" ARGUS_DAEMON=yes ARGUS_MONITOR_ID="GTWY" ARGUS_INTERFACE=ind:fxp1/"GTWY" ARGUS_BIND_IP="10.1.1.1" ARGUS_GO_PROMISCUOUS=no ARGUS_SETUSER_ID=_argus ARGUS_SETGROUP_ID=_argus ARGUS_OUTPUT_FILE=/var/argus/argus0.out ARGUS_FLOW_STATUS_INTERVAL=5 ARGUS_MAR_STATUS_INTERVAL=60 ARGUS_GENERATE_PACKET_SIZE=yes ARGUS_GENERATE_MAC_DATA=yes ARGUS_GENERATE_APPBYTE_METRIC=yes ARGUS_TUNNEL_DISCOVERY="yes" ARGUS_PACKET_CAPTURE_FILE="/var/argus/argus0.cap" ARGUS_PACKET_CAPTURE_ON_ERROR="yes"
Create configuration for argus1
. It will be the daemon for collecting DNS flows and queries. The last two lines are of most importance. One specifies the amount of data to capture while the last variable uses tcpdump syntax to specify what data to capture.
vi /etc/argus1.conf
Copy/paste the following into /etc/argus1.conf
ARGUS_FLOW_TYPE="Bidirectional" ARGUS_FLOW_KEY="CLASSIC_5_TUPLE" ARGUS_DAEMON=yes ARGUS_MONITOR_ID="DNS" ARGUS_INTERFACE=ind:fxp1/"DNS" ARGUS_BIND_IP="10.1.1.5" ARGUS_GO_PROMISCUOUS=no ARGUS_SETUSER_ID=_argus ARGUS_SETGROUP_ID=_argus ARGUS_OUTPUT_FILE=/var/argus/argus1.out ARGUS_FLOW_STATUS_INTERVAL=5 ARGUS_MAR_STATUS_INTERVAL=60 ARGUS_GENERATE_PACKET_SIZE=yes ARGUS_GENERATE_MAC_DATA=yes ARGUS_GENERATE_APPBYTE_METRIC=yes ARGUS_TUNNEL_DISCOVERY="yes" ARGUS_PACKET_CAPTURE_FILE="/var/argus/argus1.cap" ARGUS_PACKET_CAPTURE_ON_ERROR="yes" ARGUS_CAPTURE_DATA_LEN=1024 ARGUS_FILTER="host 10.1.1.5 and (tcp port 53 or udp port 53)"
Create daemons for each argus configuration and backup the original file.
# cp /etc/rc.d/argus /etc/rc.d/argus0 # cp /etc/rc.d/argus /etc/rc.d/argus1 # mv /etc/rc.d/argus /etc/rc.d/argus.orig
Enable the argus daemons.
# rcctl enable argus0 # rcctl enable argus1
Set flags for the argus daemons to use the appropriate configuration file.
# rcctl set argus0 flags -F /etc/argus0.conf # rcctl set argus1 flags -F /etc/argus1.conf
Start argus daemons.
# rcctl start argus0 # rcctl start argus1
Log Rotation
The easiest method of log rotation is to move the file to an archive.
Create archive directory.
mkdir /var/argus/archive
Create the following crontab which runs every hour.
0 * * * * /bin/mv /var/argus/argus0.out /var/argus/archive/argus0.`date "+\%Y.\%m.\%d.\%H"`.out 0 * * * * /bin/mv /var/argus/argus1.out /var/argus/archive/argus1.`date "+\%Y.\%m.\%d.\%H"`.out
One thought on “Qosient Argus – Capturing DNS Queries”