NAME

drool - DNS Replay Tool

SYNOPSIS

drool [ -c [ type : ] config ] [ -l facility [ : level ] ] [ -L facility [ : level ] ] [ -f filter ] [ -i interface ] [ -r file.pcap ] [ -R mode ] [ -nvhV ]

DESCRIPTION

drool can replay DNS traffic from packet capture (PCAP) files and send it to a specified server, with options such as to manipulate the timing between packets, as well as loop packets infinitely or for a set number of iterations. This tool's goal is to be able to produce a high amount of UDP packets per second and TCP sessions per second on common hardware.

The purpose can be to simulate Distributed Denial of Service (DDoS) attacks on the DNS and measure normal DNS querying. For example, the tool could enable you to take a snapshot of a DDoS and be able to replay it later to test if new code or hardening techniques are useful, safe & effective. Another example is to be able to replay a packet stream for a bug that is sequence- and/or timing-related in order to validate the efficacy of subsequent bug fixes.

Most of the functionality of this tool is controlled by the configuration used, please see drool.conf(5) for more information.

DESIGN

input -> context -+-> client pool -> target +-> client pool -> target +-> client pool -> target

Each file read or interface listen on is a context and runs in its own thread, parses the input for DNS queries and puts them into a queue within the context.

Each context can have one or more client pools.

Each client pool runs in its own thread, waits for DNS queries on the context queue and sends them to the target.

CURRENT IMPLEMENTATION LIMITATIONS

See drool.conf(5) for the current implementation limitations that exists.

OPTIONS

-c [type:]config: Specify the configuration to use, if no type is given then config expects to be a file. Valid types are file and text. Can be given multiple times and will be processed in the given order. See drool.conf(5) for configuration syntax.
-l facility[:level]: Enable logging for facility, optional log level can be given to enable just that. Can be given multiple times and will be processed in the given order. See LOGGING for more information.
-L facility[:level]: Disable logging for facility, optional log level can be given to disable just that. Can be given multiple times and will be processed in the given order. See LOGGING for more information.
-f filter: Set the Berkeley Packet Filter to use.
-i interface: Capture packets from interface, can be given multiple times.
-r file.pcap: Read packets from PCAP file, can be given multiple times.
-R mode: Specify the mode for reading PCAP files, see READ MODES for available modes.
-n: Dry run mode, do not allocate any outbound sockets or generate any network traffic.
-v: Enable verbose, a simple way to enable logging. Can be given multiple times to increase verbosity level.
-h: Print help and exit.
-V: Print version and exit.

LOGGING

Logging is enabled and disabled in the order specified on the command line which allows for enabling of all logging and disabling of specific, for example:

drool -l all -L network:debug

The following logging facilities exists:

core: Log messages about initializing, configuration and start up.
network: Log messages about network related tasks.
all: Log messages for all facilities, this is only used to configure logging.

The following logging level exists for all facilities:

debug: Log messages about the very inner workings, use with caution since it generates a lot of messages.
info: Log messages of the informational kind that may not be interesting in normal operation.
notice: Log messages of the informational kind that may be interesting in normal operation.
warning: Log message of the warning kind that indicates possible disruption in operation.
error: Log messages of the error kind that will most likely result in termination of operation.
critical: Log messages of the critical kind that indicates termination of operation.
all: Log messages for all levels, this is only used to configure logging.

READ MODES

loop: Loop the given file(s) until interrupted.
iter:number: Iterate the given file(s) for number of times.

EXITING

drool will exit once processing of PCAP files is complete or if interrupted (CTRL-C or SIGINT). If any interface is being processed or if loop read mode is being used, then drool must be interrupted in order to exit.

drool can be forcefully exited by interrupting (CTRL-C or SIGINT) twice.

EXIT VALUES

0 - no error
1 - generic error
2 - unknown or invalid option
3 - conf file error
4 - signal setup or handling error
5 - signal received
6 - pcap-thread error
7 - out of memory

EXAMPLES

drool -vv -c 'text:timing multiply 0.5; client_pool target "127.0.0.1" "53"; client_pool sendas udp;' -r file.pcap: Send all DNS queries twice as fast as found in the PCAP file to localhost using UDP.
drool -vv -c 'text:filter "tcp"; client_pool target "127.0.0.1" "53";' -r file.pcap: Only look for DNS queries in TCP traffic and send it to localhost.
drool -vv -c 'text:filter "port 53"; client_pool target "172.16.1.2" "53";' -i eth0: Listen for DNS queries on eth0 and send them to an (assuming) internal server.
drool -vv -c 'text:filter "udp"; timing ignore; context client_pools 5; client_pool target "127.0.0.1" "53"; client_pool skip_reply;' -r file.pcap: Take all UDP DNS queries found in the PCAP file and send them as fast as possible to localhost by ignoring both timings, replies and starting 5 contexts (threads) that will simultaneously send queries.

AUTHORS

Jerry Lundström, DNS-OARC

Maintained by DNS-OARC

https://www.dns-oarc.net/

BUGS

For issues and feature requests please use:

https://github.com/DNS-OARC/drool/issues

For question and help please use:

admin@dns-oarc.net