Configuration

graph LR

    subgraph A[pDNSSOC Client]
        B[DNS Server] -- DNS Logs --> C[go-dnscollector]
    end

    subgraph D[pDNSSOC Server]
        E[go-dnscollector] --> F[pDNSSOC]
    end

    C -- dnstap --> E

    F --> G[Alerts]
    
    H[MISP] -- attributes ---> D

DNS sensor (`pDNSSOC client`)

The DNS sensor of choice is go-dnscollector. Full configuration options can be found in the dedicated documentation page. For pDNSSOC, the following configuration requirements apply:

Source (collector in go-dnscollector terminology) can be any of the supported ones. For optimal performance and data quality, we suggest dnstap, or AF_PACKET.
Destination (logger in go-dnscollector terminology) should be dnstap.

The configuration should be based on the client template

pDNSSOC (`pDNSSOC server`)

Ingestion collector

The ingestion collector is also based on go-dnscollector. The configuration should be based on the server template.

Correlation + Alerting (`pdnssoc-cli`)

This element is used to correlate threat intelligence from MISP with DNS logs from clients. pdnssoc-cli provides various configuration options both for querying multiple MISP instances as well as for defining specific time periods for event tags. More information can be found here.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Configuration

DNS sensor (`pDNSSOC client`)

pDNSSOC (`pDNSSOC server`)

Ingestion collector

Correlation + Alerting (`pdnssoc-cli`)

Clone this wiki locally

Configuration

DNS sensor (pDNSSOC client)

pDNSSOC (pDNSSOC server)

Ingestion collector

Correlation + Alerting (pdnssoc-cli)

Clone this wiki locally

DNS sensor (`pDNSSOC client`)

pDNSSOC (`pDNSSOC server`)

Correlation + Alerting (`pdnssoc-cli`)