detect-external-names.zeek

DNS

This script detects names which are not within zones considered to be local but resolving to addresses considered local. The Site::local_zones variable must be set appropriately for this detection.

Namespace:: DNS
Imports:: base/frameworks/notice, base/utils/site.zeek

Summary

Runtime Options

DNS::skip_resp_host_port_pairs: set &redef

Default is to ignore mDNS broadcasts.

Redefinitions

Notice::Type: enum

DNS::External_Name: Raised when a non-local name is found to be pointing at a local host.

Detailed Interface

Runtime Options

DNS::skip_resp_host_port_pairs 

Type:

set [addr, port]

Attributes:

&redef

Default:

{
   [224.0.0.251, 5353/udp] ,
   [ff02::fb, 5353/udp]
}

Default is to ignore mDNS broadcasts.