Skip to content

Installation

Jump to bottom
4Quarks edited this page Jun 7, 2024 · 84 revisions

A complete pDNSSOC deployment requires:

  • A collector on the DNS server
  • A collector and a correlator on the pDNSSOC server

Collectors

!!! Installed in both the DNS sensor and pDNSSOC server !!!

  1. Create the user that will run the service:

    sudo useradd --system --no-create-home --shell /usr/sbin/nologin dnscollector

  2. Define the version of the go-dnscollector that you want to install:

    A. Get the latest version:

    GO_DNSCOLLECTOR_VERSION=$(curl -s https://api.github.com/repos/dmachard/go-dnscollector/releases/latest | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/' | sed 's/^v//')

    B. Manually check https://github.com/dmachard/go-dnscollector/releases/ and define the variable:

    GO_DNSCOLLECTOR_VERSION=X.X.X

  3. Install go-dnscollector

    curl -LO  "https://github.com/dmachard/go-dnscollector/releases/download/v${GO_DNSCOLLECTOR_VERSION}/go-dnscollector_${GO_DNSCOLLECTOR_VERSION}_linux_amd64.tar.gz" && \
tar xvf "go-dnscollector_${GO_DNSCOLLECTOR_VERSION}_linux_amd64.tar.gz" && \
mv go-dnscollector /usr/bin/

  4. Adjust the permissions for the user to be able to run go-dnscollector:

    chmod +x /usr/bin/go-dnscollector
chcon -t bin_t /usr/bin/go-dnscollector
setcap cap_net_raw=eip /usr/bin/go-dnscollector

  5. Adjust the configuration file, which is automatically generated as config.yml using the following templates:

    Option A. For the DNS sensor use the client template.

    mkdir /etc/dnscollector
curl -o /etc/dnscollector/config.yml https://raw.githubusercontent.com/CERN-CERT/pDNSSOC/main/files/configuration/dnscollector/client.yml
vi /etc/dnscollector/config.yml

    Option B. For pDNSSOC server use the server template:

    mkdir /etc/dnscollector
curl -o /etc/dnscollector/config.yml https://raw.githubusercontent.com/CERN-CERT/pDNSSOC/main/files/configuration/dnscollector/server.yml
vi /etc/dnscollector/config.yml
## In addition you need to create the following directories and files:
mkdir -p /var/dnscollector/matches /var/dnscollector/alerts
touch /var/dnscollector/alerts/matches.json /var/dnscollector/misp_ips.txt /var/dnscollector/misp_domains.txt /var/dnscollector/queries.json

  6. Adjust files and directory permissions:

    chown dnscollector:dnscollector /usr/bin/go-dnscollector
chown -R root:dnscollector /etc/dnscollector
chown -R dnscollector:dnscollector /etc/dnscollector/*
chown root:dnscollector /var/dnscollector
chown -R dnscollector:dnscollector /var/dnscollector/*

  7. Test the configuration file to make sure it doesn't have typos:

    go-dnscollector -config /etc/dnscollector/config.yml -test-config

  8. Execute the collector:

    A. Configure the collector as a service:

    curl -o /etc/systemd/system/dnscollector.service https://raw.githubusercontent.com/CERN-CERT/pDNSSOC/main/files/configuration/dnscollector/dnscollector.service
systemctl daemon-reload
systemctl start dnscollector
systemctl enable dnscollector

    B. Start the collector manually:

    go-dnscollector -config /etc/dnscollector/config.yml

  9. !Only on the pDNSSOC collector! Ensure that the collecting port set in the configuration file is accessible and the port open. For exmaple:

    sudo firewall-cmd --zone=public --add-port=7001/tcp --permanent
sudo firewall-cmd --zone=public --add-port=7001/udp --permanent
sudo firewall-cmd --reload

Test installation

  • Check if the service is running and its logs:
# systemctl status dnscollector
# journalctl -u dnscollector -f
  • Check if the process is running:
# ps -aux | grep dnscollector
dnscoll+   37571  0.0  1.1 1395372 40108 ?       Ssl  May23   2:03 /usr/bin/go-dnscollector -c /etc/dnscollector/config.yml

  • Check if the connection has been established. We will use the port 7001 as example:

    A. From the DNS sensor:

    # netstat -putan | grep 7001
tcp        0      0 IP_DNS:59450            IP_PDNSSOC:7001         ESTABLISHED 37571/go-dnscollect

    B. From pDNSSOC:

    # netstat -putan | grep 7001
tcp6       0      0 :::7001                 :::*                    LISTEN      19378/go-dnscollect 
tcp6       0      0 IP_PDNSSOC:7001         IP_DNS:59450            ESTABLISHED 19378/go-dnscollect

  • Check if the pDNSSOC collector is receiving logs:

# tail /var/dnscollector/queries.json
# tcpdump -i eth0 -A port 7001

Correlator

!!! Installed in the pDNSSOC instance (pDNSSOC server) !!!

  1. Create the pdnssoc directory with the right permissions. 
    mkdir /etc/pdnssoccli
chown root:dnscollector /etc/pdnssoccli
  2. Copy the postrotate script: 
    curl -o /etc/pdnssoccli/postrotate_query.sh https://raw.githubusercontent.com/CERN-CERT/pDNSSOC/main/files/configuration/dnscollector/postrotate_query.sh
  3. Install pdnssoc-cli 
    sudo yum install python3-pip
pip3 install pdnssoc-cli
  4. Create the pdnssoccli configuration file (pdnssoccli.yml) under /etc/pdnssoccli and modify it based on the pdnssoccli template. For details, see the configuration documentation. 
    curl -o /etc/pdnssoccli/pdnssoccli.yml https://raw.githubusercontent.com/CERN-CERT/pDNSSOC/main/files/configuration/pdnssoccli/pdnssoccli.yml
vi /etc/pdnssoccli/pdnssoccli.yml

  1. Install supervisor tooling

    pip3 install supervisor superfsmon

  2. Create the supervisord configuration file (supervisord.conf) under /etc/pdnssoccli and modify it based on the template.

    curl -o /etc/pdnssoccli/supervisord.conf https://raw.githubusercontent.com/CERN-CERT/pDNSSOC/main/files/configuration/supervisor/supervisord.conf
chown -R dnscollector:dnscollector /etc/pdnssoccli/*

  3. Finally, launch supervisord.

    A. Configure the corelator as a service:

    curl -o /etc/systemd/system/supervisord.service https://raw.githubusercontent.com/CERN-CERT/pDNSSOC/main/files/configuration/pdnssoccli/supervisord.service
systemctl daemon-reload
systemctl start supervisord
systemctl enable supervisord
systemctl status supervisord

    B. Manual execution:

    supervisord -c /etc/pdnssoccli/supervisord.conf

  4. If you want to receive email alerts:

    curl -o /etc/pdnssoccli/alert_email.html https://raw.githubusercontent.com/CERN-CERT/pDNSSOC/main/files/configuration/pdnssoccli/notification_email.html

Test installation

  • Check that the service is running
# systemctl status supervisord
# journalctl -u supervisord -f
  • Check that the process is running:
# ps -aux | grep supervisord
dnscoll+   19392  0.0  0.7  30060 25412 ?        Ss   11:55   0:00 /usr/bin/python3 /usr/local/bin/supervisord -c /etc/pdnssoccli/supervisord.conf
  • Check the location where pDNSSOC was installed:
# pip show pdnssoc-cli
  • Verify that the pDNSSOC command line tool works
# pdnssoc-cli fetch-iocs
# pdnssoc-cli correlate
# pdnssoc-cli alert
  • Verify that pdnssoccli.yml has a right format
# pip install yamllint
# yamllint /etc/pdnssoccli/pdnssoccli.yml
  • Check if the IOCs could be fetched from MISP
# tail /var/dnscollector/misp_domains.txt 
# tail /var/dnscollector/misp_ips.txt
  • Test a malicious domain resolution to check that the alerts are created. You can use any domain from the misp_domains.txt,
# dig @IP_DNS maliciousdomain.com
# cat /var/dnscollector/queries.json | grep maliciousdomain.com

DNS Server (for testing)

To set up a test environment, you can easily deploy a Bind9 DNS server by following the steps outlined below. Please note that the provided template and installation instructions are intended for testing purposes only and are NOT suitable for a production environment. For best practices and production setups, please refer to the Official Documentation.

  1. Install Bind9 
    dnf copr enable isc/bind
yum install isc-bind
  2. Create log directory and edit the name.conf file using the template 
    mkdir -p /var/log/named 
chown named:named /var/log/named 
curl -o /etc/opt/isc/scls/isc-bind/named.conf https://raw.githubusercontent.com/CERN-CERT/pDNSSOC/main/files/configuration/test_lab/named.conf
vim /etc/opt/isc/scls/isc-bind/named.conf
chown named:named /etc/opt/isc/scls/isc-bind/named.conf
sudo -u named /opt/isc/isc-bind/root/usr/bin/named-checkconf /etc/opt/isc/scls/isc-bind/named.conf
  3. Start and enable the DNS service 
    systemctl start isc-bind-named
systemctl enable isc-bind-named
systemctl status isc-bind-named
  4. Open the internal firewall if you want to resolve domains from other instances 
    systemctl start firewalld
systemctl enable firewalld
firewall-cmd --permanent --add-service=dns
firewall-cmd --reload
firewall-cmd --list-all

Test installation

  • Check that the DNS can resolve domains.
host1# dig @IP_DNS maliciousdomain.com
dns# /opt/isc/isc-bind/root/usr/bin/dnstap-read /var/log/named/dnstap.log 
27-May-2024 17:57:01.255 CQ IP_HOST1:47263 -> IP_DNS:53 UDP 49b maliciousdomain.com/IN/A
Clone this wiki locally