This artifact uses eBPF to track DNS requests from various processes.
NOTE: This event is generated from network traffic - it is unable to view DoH traffic.
name: Linux.Events.DNS
description: |
This artifact uses eBPF to track DNS requests from various processes.
NOTE: This event is generated from network traffic - it is unable to
view DoH traffic.
type: CLIENT_EVENT
precondition: |
SELECT OS From info() where OS = 'linux'
parameters:
- name: ExcludeDestIP
description: Only show events with a different DestIP
type: regex
default: "Change this to your default DNS Server IP"
- name: Records
description: Only show events matching these DNS records
type: regex
default: .
- name: ProcessNameFilter
description: Filter Events by Process Name
type: regex
default: .
- name: IncludeDNSDetails
type: bool
description: If set we include more details like HTTP Headers
- name: IncludeProcessInfo
type: bool
description: If set we include more process information.
sources:
- query: |
SELECT System.Timestamp AS Timestamp,
System.ProcessName AS ProcessName,
System.ProcessID AS Pid,
if(condition=IncludeProcessInfo,
then=process_tracker_get(id=System.ProcessID).Data) AS ProcessInfo,
EventData.src AS src_ip,
EventData.src_port AS src_port,
EventData.dst AS dest_ip,
EventData.dst_port AS dest_port,
EventData.proto_dns.questions.name AS name,
EventData.proto_dns.questions.type AS type,
EventData.proto_dns.answers.IP AS IP,
if(condition=IncludeDNSDetails,
then=EventData) AS _DNSData
FROM delay(delay=2, query={
SELECT * FROM watch_ebpf(events="net_packet_dns")
})
WHERE NOT dest_ip =~ ExcludeDestIP
AND if(condition=Records, then=EventData.proto_dns =~ Records, else=TRUE)
AND ProcessName =~ ProcessNameFilter