Analyze responses with drool and respdiff

With the release of drool version 1.99.2 (and dnsjit v0.9.5) and a tool-chain called respdiff it is now possible to replay a PCAP and do analysis of the responses found in the PCAP with those received from the replay. TL;DR? Check below for example!


dnsjit (developed by DNS-OARC) is a combination of parts taken from dsc, dnscap, drool (when it was in C), and put together around Lua to create a script-based engine for easy capturing, parsing and statistics gathering of DNS messages while also providing facilities for replaying DNS traffic.


drool (DNS Replay Tool, developed by DNS-OARC) can replay DNS traffic from packet capture (PCAP) files and send it to a specified server, with options such as to manipulate the timing between packets, as well as loop packets infinitely or for a set number of iterations.

drool is now a Lua script that uses dnsjit and this work has been sponsored by Comcast Innovation Fund.


Respdiff (developed by CZ.NIC, part of the Knot project) is an abbreviation from “response differences” used as name for set of tools to gather answers to DNS queries from DNS servers and compare them based on specified criteria.

drool + respdiff

We (DNS-OARC and CZ.NIC) started a collaborative effort a few months back to use each others tool. The aim is to have drool replay traffic and gather the responses for respdiff to analyze.

Example (yay!)

drool comes packaged for most Linux distributions and is also compiled and tested on FreeBSD and OpenBSD but respdiff was just moved out from being an internal testing tool at CZ.NIC so it may be more tricky to get to run currently. Here is two install examples, first for Debian 9 and later on for CentOS 7.

Debian 9 installation

CentOS 7 installation

Replay and analyze

Because respdiff needs newer Python then what is available on CentOS 7 you will need to enable it into a new shell first (if your testing on CentOS 7 of course).

Now get a DNS PCAP, replay it and run an analysis on the results.

Image for post
Image for post
Example output

Replay your own PCAP or analyze other things

To replay and analyze a different PCAP you need to know a few things:

  • The second argument to drool respdiff is the server name for the responses found in the PCAP and needs to exist in respdiff.cfg
  • The fourth argument to drool respdiff is the server name for the responses received when replaying and needs to exist in respdiff.cfg
  • drool respdiff can currently only replay against one host
  • The criteria in the diff section of respdiff.cfg controls what fields are analyzed, see respdiff.cfg in it’s main repository for comments on each section
  • Re-run both and to redo or do a new analysis on an existing result

Still early development…

Please note that this is still in early development and things are missing or possibly broke, but we would none the less be very happy if you can find the time to test this a bit and report any issues you discover or any other feedback you would like to give!

Jerry Lundström (DNS-OARC) & Petr Špaček (CZ.NIC)

Domain Name System Operations Analysis and Research Center

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store