description

mod_urstate is an ncaptool dns message parsing plugin that attempts to
detect unsolicited dns responses that may be indicative of cache poisoning
attempts.  it does this by statefully tracking the application layer state
of the dns transactions between recursive and authoritative dns servers. it
gracefully handles query retransmissions due to client timeouts and byte
identical responses from dns authorities.

installation instructions:

install dependencies:

        bind9 configured with --enable-libbind

        on freebsd, the easiest way to do this seems to be to install the
        dns/bind94 port, edit the port's Makefile to add --enable-libbind to
        the CONFIGURE_ARGS variable, and compile and install the port with
        the "REPLACE_BASE" option selected.
        
        on debian, install the libbind-dev package.

        ncaptool:    libpcap (freebsd: net/libpcap, debian: libpcap0.8-dev)
        mod_urstate: libJudy (freebsd: devel/judy, debian: libjudy-dev)

fetch the software:        

        ftp://ftp.isc.org/isc/ncap/ncaptool-1.0.0.tar.gz
        ftp://ftp.isc.org/isc/ncap/mod_urstate-1.1.0.tar.gz

extract, build, and make install ncaptool. you may have to customize the
ncaptool Makefile for your system. (on debian, `make -f Makefile.debian`
instead.)

extract, build, and make install mod_urstate. 

usage:

example invocation, monitoring recursive traffic, storing data in /home/ncap
and sniffing on interface eth0 promiscuously:

        OUT="/home/ncap/urstate"
        MODULE="-D/usr/local/lib/ncaptool/mod_urstate.so,-o $OUT -L 1048576"

        ncaptool -t 3600 -k gzip -i eth0+ "$MODULE" dns

this will output ncap format files to /home/ncap prefixed with "urstate" and
suffixed with a timestamp. every hour the file will be rotated and gzip will
be invoked on the rotated file. a hard limit of 1048576 entries in the
transaction cache will be enforced.

to inspect a compressed ncap file, run something like this:

        zcat $FILE | ncaptool -n - -vmg -