Update cheatsheet

Signed-off-by: mi2428 <[email protected]>
wide-vsix · Aug 25, 2021 · 93f448c · 93f448c
1 parent 9ae67a1
commit 93f448c
Showing 1 changed file with 79 additions and 41 deletions.
diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
 # dns-query-interceptor
 Tiny program intercepting DNS queries
 
-[![asciicast](https://asciinema.org/a/431381.svg)](https://asciinema.org/a/431381?autoplay=1)
+[![asciicast](https://asciinema.org/a/432218.svg)](https://asciinema.org/a/432218?autoplay=1)
 
 ## Use alone
 Golang compiler and `libpcap-dev` are needed to build - you may get the latest binary from [Releases](https://github.com/wide-vsix/dns-query-interceptor/releases).
@@ -17,14 +17,15 @@ Following options are available:
 
 ```
 % interceptor -h
--i, --dev string                Capturing interface name
--q, --quiet                     Suppress standard output
-    --db-host string            Postgres server address to store queries (e.g., localhost:5432)
-    --db-name string            Database name to store queries
-    --db-user string            Username to login DB
-    --db-password-file string   Path of plaintext password file
--h, --help                      Show help message
--v, --version                   Show build version
+  -i, --dev string                Interface name
+  -q, --quiet                     Suppress standard output
+  -A, --with-response             Store responses to AAAA queries
+      --db-host string            Postgres server address to store logs (e.g., localhost:5432)
+      --db-name string            Database name to store
+      --db-user string            Username to login
+      --db-password-file string   Password to login - path of a text file containing plaintext password
+  -h, --help                      Show help message
+  -v, --version                   Show build version
 ```
 
 ## Use with PostgreSQL
@@ -45,7 +46,7 @@ Uninstall from systemd and purge the database - note that this is a destructive
 ```
 
 ## Cheat sheet
-### Show stored queries via CLI
+### Show stored queries and responses via CLI
 Login postgres:
 
 ```
@@ -60,11 +61,12 @@ Show tables:
 
 ```
 interceptor=# \dt+
-                            List of relations
- Schema |    Name    | Type  | Owner | Persistence | Size  | Description 
---------+------------+-------+-------+-------------+-------+-------------
- public | query_logs | table | vsix  | permanent   | 20 MB | 
-(1 row)
+                              List of relations
+ Schema |     Name      | Type  | Owner | Persistence |  Size  | Description 
+--------+---------------+-------+-------+-------------+--------+-------------
+ public | query_logs    | table | vsix  | permanent   | 544 kB | 
+ public | response_logs | table | vsix  | permanent   | 216 kB | 
+(2 rows)
 ```
 
 Show the number of stored queries:
@@ -96,18 +98,19 @@ Show **10 most recent** queries - replace `DESC` with `ASC` to show the oldest.
 
 ```
 interceptor=# SELECT received_at, src_ip, dst_ip, src_port, query_string, query_type FROM query_logs ORDER BY received_at DESC LIMIT 10;
-          received_at          |                src_ip                |         dst_ip         | src_port |          query_string           | query_type 
--------------------------------+--------------------------------------+------------------------+----------+---------------------------------+------------
- 2021-08-24 14:58:02.387654+09 | 2001:200:e20:20:8261:5fff:fe06:76f   | 2001:4860:4860::6464   |    32962 | signaler-pa.clients6.google.com | AAAA
- 2021-08-24 14:58:02.385579+09 | 2001:200:e20:20:8261:5fff:fe06:76f   | 2001:4860:4860::6464   |    32962 | signaler-pa.clients6.google.com | A
- 2021-08-24 14:58:01.27995+09  | 2001:200:e00:b0::110                 | 2001:4860:4860::6464   |    40752 | github.com                      | AAAA
- 2021-08-24 14:58:01.277657+09 | 2001:200:e00:b0::110                 | 2001:4860:4860::6464   |    55013 | github.com                      | A
- 2021-08-24 14:58:00.028033+09 | 2001:200:e20:100:20b4:db4b:c060:dcb7 | 2001:200:e00:b11::6464 |    64533 | ssl.gstatic.com                 | A
- 2021-08-24 14:58:00.025753+09 | 2001:200:e20:100:20b4:db4b:c060:dcb7 | 2001:200:e00:b11::6464 |    57575 | ssl.gstatic.com                 | AAAA
- 2021-08-24 14:57:59.835872+09 | 2001:200:e20:100:20b4:db4b:c060:dcb7 | 2001:200:e00:b11::6464 |    20262 | docs.google.com                 | AAAA
- 2021-08-24 14:57:59.833792+09 | 2001:200:e20:100:20b4:db4b:c060:dcb7 | 2001:200:e00:b11::6464 |    65360 | docs.google.com                 | A
- 2021-08-24 14:57:59.35588+09  | 2001:200:e20:20:8261:5fff:fe06:76f   | 2001:4860:4860::6464   |    44963 | api.software.com                | AAAA
- 2021-08-24 14:57:59.353761+09 | 2001:200:e20:20:8261:5fff:fe06:76f   | 2001:4860:4860::6464   |    44963 | api.software.com                | A
+           received_at          |               src_ip               |        dst_ip        | src_port |       query_string        | query_type 
+-------------------------------+------------------------------------+----------------------+----------+---------------------------+------------
+ 2021-08-25 17:24:21.608003+09 | 2001:200:e20:20:8261:5fff:fe06:76f | 2001:4860:4860::6464 |    41148 | vortex.data.microsoft.com | AAAA
+ 2021-08-25 17:24:21.605671+09 | 2001:200:e20:20:8261:5fff:fe06:76f | 2001:4860:4860::6464 |    41148 | vortex.data.microsoft.com | A
+ 2021-08-25 17:24:21.160051+09 | 2001:200:e20:20:8261:5fff:fe06:76f | 2001:4860:4860::6464 |    34097 | api.software.com          | AAAA
+ 2021-08-25 17:24:21.157676+09 | 2001:200:e20:20:8261:5fff:fe06:76f | 2001:4860:4860::6464 |    34097 | api.software.com          | A
+ 2021-08-25 17:24:18.084043+09 | 2001:200:e20:20:8261:5fff:fe06:76f | 2001:4860:4860::6464 |    42993 | ws.todoist.com            | AAAA
+ 2021-08-25 17:24:18.081667+09 | 2001:200:e20:20:8261:5fff:fe06:76f | 2001:4860:4860::6464 |    42993 | ws.todoist.com            | A
+ 2021-08-25 17:24:11.075838+09 | 2001:200:e20:20:8261:5fff:fe06:76f | 2001:4860:4860::6464 |    35101 | api.software.com          | AAAA
+ 2021-08-25 17:24:11.073594+09 | 2001:200:e20:20:8261:5fff:fe06:76f | 2001:4860:4860::6464 |    35101 | api.software.com          | A
+ 2021-08-25 17:24:08.960203+09 | 2001:200:e20:20:8261:5fff:fe06:76f | 2001:4860:4860::6464 |    41947 | www.google.com            | AAAA
+ 2021-08-25 17:24:08.957728+09 | 2001:200:e20:20:8261:5fff:fe06:76f | 2001:4860:4860::6464 |    41947 | www.google.com            | A
+(10 rows)
 ```
 
 Count the number of A and AAAA requests **per FQDN** and show the **top 10** domains - replace `query_string` with `src_ip` to show per clients.
@@ -131,29 +134,64 @@ interceptor=# SELECT query_string, COUNT(*) AS total, COUNT(*) FILTER(WHERE quer
 interceptor=# SELECT src_ip, COUNT(*) AS total, COUNT(*) FILTER(WHERE query_type='A') AS a, COUNT(*) FILTER(WHERE query_type='AAAA') AS aaaa FROM query_logs GROUP BY src_ip ORDER BY total DESC LIMIT 10;
                 src_ip                | total |  a   | aaaa 
 --------------------------------------+-------+------+------
- 2001:200:e20:20:8261:5fff:fe06:76f   |  2858 | 1422 | 1422
- 2001:200:e20:100:20b4:db4b:c060:dcb7 |  1347 |  162 |  590
- 2001:200:e20:100:d59a:c6b5:dfe9:5259 |   462 |   56 |  297
- 2001:200:e20:100:65e4:5dd1:86a1:7639 |   373 |   11 |  207
- 2001:200:e00:b0::110                 |   112 |   56 |   56
- 2001:200:e20:100:995a:21a9:db18:db62 |   100 |    3 |   52
- 2001:200:e20:20:5054:fe08:4c7e:c08f  |    18 |    7 |   11
+ 2001:200:e20:110:2567:dc41:6982:c766 |  2526 |  340 | 1093
+ 2001:200:e20:20:8261:5fff:fe06:76f   |  2475 | 1236 | 1239
+ 2001:200:e20:110:8585:cb6d:cfd0:9a47 |  1415 |   30 |  741
+ 2001:200:e00:b0::110                 |   126 |   66 |   60
+ 2001:200:e20:20:c16e:2e1a:89d6:5c07  |    20 |   11 |    9
+ 2001:200:e20:c0:8385:4b2a:d7e5:4490  |    14 |    8 |    6
+ 2001:200:e20:30:20c:29ff:fe51:3a     |     7 |    0 |    3
 (7 rows)
 ```
 
 Calculate the ratio of A's query count to AAAA's count normalized by the total, i.e., a degree of IPv4 dependency, and show the **worst 10** clients.
 
 ```
 interceptor=# SELECT src_ip, (COUNT(*) FILTER(WHERE query_type='A') - COUNT(*) FILTER(WHERE query_type='AAAA')) * 100 / COUNT(*) AS v4_dependency FROM query_logs GROUP BY src_ip ORDER BY v4_dependency DESC LIMIT 10;
-                src_ip                | v4_dependency 
+                 src_ip                | v4_dependency 
 --------------------------------------+---------------
+ 2001:200:e20:c0:8385:4b2a:d7e5:4490  |            14
+ 2001:200:e20:20:c16e:2e1a:89d6:5c07  |            10
+ 2001:200:e00:b0::110                 |             5
  2001:200:e20:20:8261:5fff:fe06:76f   |             0
- 2001:200:e00:b0::110                 |             0
- 2001:200:e20:100:20b4:db4b:c060:dcb7 |           -28
- 2001:200:e20:20:5054:fe08:4c7e:c08f  |           -33
- 2001:200:e20:100:995a:21a9:db18:db62 |           -49
- 2001:200:e20:100:65e4:5dd1:86a1:7639 |           -50
- 2001:200:e20:100:d59a:c6b5:dfe9:5259 |           -52
+ 2001:200:e20:110:2567:dc41:6982:c766 |           -29
+ 2001:200:e20:30:20c:29ff:fe51:3a     |           -42
+ 2001:200:e20:110:8585:cb6d:cfd0:9a47 |           -50
+(7 rows)
+```
+
+Sort domains supporting IPv6 by their popularity - remove `NOT` to show IPv4 only domains.
+
+```
+interceptor=# SELECT query_string, COUNT(*) AS total FROM response_logs WHERE NOT ipv6_ready IS NULL GROUP BY query_string ORDER BY total DESC LIMIT 10;
+             query_string             | total 
+--------------------------------------+-------
+ signaler-pa.clients6.google.com      |    61
+ ssl.gstatic.com                      |    53
+ todoist.com                          |    39
+ play.google.com                      |    38
+ www.google.com                       |    26
+ calendar.google.com                  |    23
+ notify.bugsnag.com                   |    22
+ monkeybreadsoftware.de               |    22
+ e673.dsce9.akamaiedge.net            |    18
+ googlehosted.l.googleusercontent.com |    17
+(10 rows)
+
+interceptor=# SELECT query_string, COUNT(*) AS total FROM response_logs WHERE ipv6_ready IS NULL GROUP BY query_string ORDER BY total DESC LIMIT 10;
+                     query_string                     | total 
+------------------------------------------------------+-------
+ api.software.com                                     |   456
+ github.com                                           |   133
+ ipv4only.arpa                                        |    54
+ s3.amazonaws.com                                     |    49
+ mcs-spinnaker-2103948255.us-east-2.elb.amazonaws.com |    44
+ d27xxe7juh1us6.cloudfront.net                        |    30
+ edgeapi.slack.com                                    |    29
+ slack.com                                            |    23
+ stream.pushbullet.com                                |    20
+ e6987.a.akamaiedge.net                               |    20
+(10 rows)
 ```
 
 ## License