DNS Chain

This module contains the DNSChain flow analysis chain which can be used by PATHspider’s Observer for recording Domain Name System [RFC1035] details.

class pathspider.chains.dns.DNSChain[source]

This flow analysis chain records details from Domain Name System application data.

Field Name

Type

Meaning

dns_response_valid

bool

The flow contained a valid DNS response
new_flow(rec, ip)[source]

For a new flow, all fields will be initialised to False.

Parameters

  • rec (dict) – the flow record

  • ip (plt.ip or plt.ip6) – the IP or IPv6 packet that triggered the creation of a new flow record

Returns

Always True

Return type

bool

tcp(rec, tcp, rev)[source]

Records DNS details from TCP segment.

DNS Response

If the packet contains a payload, an attempt is made to parse it and if successful the dns_response_valid field is set to True if it was a response (not a query).

Parameters

  • rec (dict) – the flow record

  • tcp – the TCP packet that was observed to be part of this flow

  • rev (bool) – True if the packet was in the reverse direction, False if in the forward direction

Returns

False if a valid DNS response has been seen, otherwise True

Return type

bool

udp(rec, udp, rev)[source]

Records DNS details from UDP datagram.

DNS Response

If the packet contains a payload, an attempt is made to parse it and if successful the dns_response_valid field is set to True if it was a response (not a query).

Parameters

  • rec (dict) – the flow record

  • tcp – the UDP packet that was observed to be part of this flow

  • rev (bool) – True if the packet was in the reverse direction, False if in the forward direction

Returns

False if a valid DNS response has been seen, otherwise True

Return type

bool