PDNS Privacy Shield

pDNS

What Is pDNS?

Passive DNS, short for Passive Domain Name System, is a tool commonly used for security and network monitoring purposes. While DNS (Domain Name System) serves as the protocol that translates human-readable domain names (such as www.google.com) into IP addresses for enabling communication between devices over the internet, pDNS goes a step further. Instead of actively querying DNS servers, pDNS passively records DNS query data that has already been made, either by other users, systems, or devices.

With pDNS, security teams can track the queries made to malicious domains, detect patterns of suspicious behavior, and even investigate incidents after they occur, without compromising the privacy of users. Usually, pDNS does not collect personally identifiable information; instead, it logs only anonymized DNS query data, making it an effective tool for cybersecurity monitoring while respecting user privacy.

Why pDNS privacy matters

As cyberattacks have become more sophisticated, modern threat actors often begin with reconnaissance, using techniques like T1590.002 (Gather Victim Network Information – DNS) and T1596.001 (Active Scanning – DNS/Passive DNS) from the MITRE ATT&CK framework to leverage DNS data for gathering critical information, affecting individual user browsing privacy and organization security.

Individual User browsing Privacy

pDNS records when accessed from the database can reveal browsing activities of users, which can be exploited by advertisers, trackers and malicious actors. This prevents users' anonymity and leaks sensitive behavioral information that can lead to phishing and targeted exploitation

Organizational Security

For organization unprotected pDNS data exposes valuable insights about their internal networks, external communication that attackers can use to either exploit business relations or plan intrusions like watering hole attacks

Installation Manual

Privacy Shield configuration

Clone the GitHub repository PDNS_PRIVACY using Git. You should have the following three folders:
- pdns_collector
- pdns_privacy_shield
- pdns_sensor

Create a virtual environment in every folder and install the packages listed in requirements.txt

Windows (PowerShell)

python -m venv .venv
.\.venv\Scripts\Activate.ps1
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
pip install -r .\requirements.txt

macOS (Terminal)

python3 -m venv .venv
source .venv/bin/activate
pip3 install -r requirements.txt

Linux (Ubuntu)

python3 -m venv .venv
source .venv/bin/activate
pip3 install -r requirements.txt

Provide the appropriate argument value for each of the components
Privacy Shield
- Today's Password - Obtain the password from the Passive DNS Dashboard
- GUID - obtained from user.db
- IP address - Host's IP address
- Username - obtained from database.py under pdns_privacy_shield
- Password - obtained from database.py under pdns_privacy_shield
Sensor
- Sensor ID - Create your own ID
- Today's Password - Must match the password entered in pdns_privacy_shield
- IP address:port number - Provide the IP address and port number of the Sensor Dashboard instance.
*The collector runs without any arguments

Persistent Service Configuration

Reliable, long-running processes are essential for system stability. To achieve this, we can configure the application as a persistent service using the appropriate system service manager for each OS.

repeat the steps below for privacyshield.pyand collector.py as well

Systemd (Linux)

Create a new service file:

sudo nano /etc/systemd/system/<SERVICE_NAME>.service

Define how the service runs:

[Unit]
Description=PDNS Sensor
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
WorkingDirectory=/opt/pdns_sensor
ExecStart=<PYTHON_PATH> https_sensor.py <SENSOR_ID> <TODAY_PASSWORD> <IP_ADDRESS:PORT>
Restart=always
RestartSec=5
User=root
Environment=PYTHONUNBUFFERED=1

[Install]
WantedBy=multi-user.target

Reload systemd:

sudo systemctl daemon-reload

Start the service:

sudo systemctl start <SERVICE_NAME>

Enable at boot:

sudo systemctl enable <SERVICE_NAME>

Check status:

systemctl status <SERVICE_NAME>

launchd (macOS)

Create a new .plist file:

nano ~/Library/LaunchAgents/<SERVICE_NAME>.plist

Add configuration:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
 "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>

  <key>Label</key>
  <string><SERVICE_NAME></string>

  <key>WorkingDirectory</key>
  <string><PATH_TO_PROJECT_DIRECTORY></string>

  <key>ProgramArguments</key>
  <array>
      <string><PATH_TO_PYTHON></string>
      <string><SCRIPT_NAME></string>
      <string><SENSOR_ID></string>
      <string><TODAY_PASSWORD></string>
      <string><IP_ADDRESS:PORT></string>
  </array>

  <key>RunAtLoad</key><true/>
  <key>KeepAlive</key><true/>

  <key>EnvironmentVariables</key>
  <dict>
      <key>PYTHONUNBUFFERED</key>
      <string>1</string>
  </dict>

</dict>
</plist>

Load the service:

launchctl load ~/Library/LaunchAgents/<SERVICE_NAME>.plist

Start it manually:

launchctl start <SERVICE_NAME>

Check status:

launchctl list | grep <SERVICE_NAME>

Task Scheduler (Windows)

Create a task.xml file:

task.xml

Add configuration:

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.4" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">

  <Triggers>
    <LogonTrigger>
      <Enabled>true</Enabled>
    </LogonTrigger>
  </Triggers>

  <Principals>
    <Principal id="Author">
      <RunLevel>HighestAvailable</RunLevel>
    </Principal>
  </Principals>

  <Actions Context="Author">
    <Exec>
      <Command><PYTHON_PATH></Command>
      <Arguments><SCRIPT_NAME> <SENSOR_ID> <TODAY_PASSWORD> <IP_ADDRESS:PORT></Arguments>
      <WorkingDirectory><WORKING_DIRECTORY></WorkingDirectory>
    </Exec>
  </Actions>

</Task>

Register task:

schtasks /Create /TN "<SERVICE_NAME>" /XML task.xml /F

Start service:

schtasks /Run /TN "<SERVICE_NAME>"

Check last run:

schtasks /Query /TN "<SERVICE_NAME>" /V /FO LIST

Delete:

schtasks /Delete /TN "<SERVICE_NAME>" /F

Future Work

Pursuing ISP Authorization for Controlled IP Spoofing

Our team aims to gain recognition for its efforts in contributing to a safer cyberspace by encouraging broader participation from pDNS data providers. However, to reduce maintenance costs and streamline long-term operations, it is desirable to secure support from a trusted local entity to serve as an intermediary for hosting the Passive DNS Privacy Shield. This would enable local pDNS data providers to route their data through this entity instead of relying on a foreign VPS. To realize this approach, cooperation from local ISPs would be necessary—specifically, to grant special permissions for allowing packets with spoofed IP addresses from a designated address pool to be transmitted to these trusted intermediaries.

Enhancing Sensor Compatibility and Deployment Efficiency

Our team acknowledges the complexity involved in developing pDNS data sensors compatible with a wide range of platforms and hardware used by different organizations. To support the majority of enterprise and commercial-grade routers, future work will focus on identifying commonly used models, understanding their requirements and limitations, and providing precompiled versions of the pDNS data sensor. This would eliminate the need for organizations to perform compilation or cross-compilation themselves. Instead, they would simply select the appropriate version from a list of supported sensors, deploy it to their system, and execute it.

Maintenance Framework for Long-Term Sustainability

For the proposed initiative to be scalable and viable for long-term adoption, particularly by larger and/or international organizations, it is essential to establish a robust maintenance and support framework for all project components. This includes the continual maintenance and expansion of the pDNS data sensor repository, as well as the regular updates and patch management for the Passive DNS Privacy Shield. Without such a system in place, the effectiveness and reliability of the solution would diminish over time as new technologies and platforms emerge.

Regular update of pDNS data respository

As new operating systems and router firmware versions, and embedded platforms are released, new versions of sensors will need to be developed, compiled, and made available. There must be a process in place to track these updates and ensure the range of supported environments for the sensors are supported. In parallel, the Passive DNS Privacy Shield needs to undergo regular updates as well. These updates may include new forms of encryption and performance improvements. To manage this effectively, a formal versioning system should be implemented, along with thorough changelog documentation and testing protocols to ensure stability and backward compatibility.

Standard Operating Procedures(SOPs)

A set of Standard Operating Procedures (SOPs) established to govern the maintenance process and cycle. These SOPs should define how frequently the components should be reviewed or updated, and who is responsible for these tasks. For instance, a quarterly update schedule may be adopted for regular enhancements, while critical issues should trigger immediate patching workflows.

Feedback and pDNS data provider support system

There should be a feedback and pDNS data provider support system implemented to address the queries and technical difficulties. This would help foster trust, encourage continued participation, and ensure smoother integration and troubleshooting processes. However, it is important to note that during this process, the identity of the pDNS data provider is not exposed at any point.

Maintaining anonymity with TOR

The Privacy shield can be further enhanced by encorporating TOR to maintain anonymity of organizations. BY routing DNS queries through th TOR network, we can ensure that the user's real IP address is hidden and that their online activity remains anonymous. This prevents third parties from tracing the origin of the query. Furthermore, by employing DNS-over-Tor (DoT) or DNS-over-HTTPS (DoH) protocols, you can encrypt DNS traffic and prevent eavesdropping while it traverses the Tor network. This end-to-end encryption and routing through Tor's anonymous network significantly mitigate the risk of identity exposure and traffic analysis, thus enhancing the overall privacy and anonymity of your users

Expanding the network

Sensor Usability

We are now aiming to expand usability by including alternative sensors like IOS and android.This expansion aims to make the Privacy Shield more accessible to a broader range of users and organizations, ensuring that privacy protection is seamless across various platforms. Additionally, we plan to integrate mobile-specific features, including privacy alerts and device-specific optimizations, to further enhance both anonymity and the overall user experience. This will allow us to provide a more robust, versatile, and user-friendly privacy solution, catering to the evolving needs of users across diverse devices.

Co-working sensors and shields

We are also aiming on xpanding the Privacy Shield into a distributed and collaborative network consisting of multiple sensors and multiple Privacy Shield instances operating together. Instead of a single centralized deployment, sensors may be deployed across different organizations, networks, and geographical locations, each forwarding anonymized pDNS data to one or more Privacy Shields

In this expanded architecture, multiple Privacy Shields can operate in parallel and exchange selected anonymized threat intelligence, enabling broader visibility into emerging DNS-based threats while avoiding a single point of failure. This federated approach improves scalability, resilience, and fault tolerance, allowing the system to grow as participation increases.

Development Setup

WORKSPACE SETUP ⌄

Follow steps 1 and 2 from the Installation Manual before moving on to step 2

Create launch.json files for all 3 folders:

Dont know where to get the arguments from?

Follow step 3 from the Installation Manual

pdns_sensor

{
  "version": "0.2.0",
  "configurations": [
    {
      "name": "pdns_sensor",
      "type": "debugpy",
      "request": "launch",
      "program": "https_sensor.py",
      "console": "integratedTerminal",
      "args": ["Make up your own sensor ID (Sensor-ID)", "Today's Password", "ip:privacy_shield port"]
    }
  ]
}

pdns_privacy_shield

{
  "version": "0.2.0",
  "configurations": [
    {
      "name": "pdns_privacy_shield",
      "type": "debugpy",
      "request": "launch",
      "program": "privacyshield.py",
      "console": "integratedTerminal",
      "args": ["Today's password", "Guid-found in user.db", "ip", "username", "Password"]
    }
  ]
}

pdns_collector

{
  "version": "0.2.0",
  "configurations": [
    {
      "name": "pdns_collector",
      "type": "debugpy",
      "request": "launch",
      "program": "collector.py",
      "console": "integratedTerminal"
    }
  ]
}

ROUTER SETUP ⌄

Cross-Compilation Setup

Install Dependencies

Ubuntu / Debian (WSL Dependent)

sudo apt update
sudo apt install -y \
  build-essential g++ git rsync bash diffutils wget \
  unzip xz-utils zstd pkg-config gawk sed bison flex \
  perl file python3

macOS (Homebrew)

brew update
brew install make gcc git wget unzip xz gawk rsync \
  bash perl zstd

Fedora

sudo dnf install -y \
  make gcc-c++ git rsync bash diffutils wget unzip \
  xz xz-devel zstd pkg-config gawk sed bison flex \
  perl file python3

CentOS / RHEL

sudo yum install -y \
  make gcc-c++ git rsync bash diffutils wget unzip \
  xz xz-devel zstd pkg-config gawk sed bison flex \
  perl file python3

Download the Qualcomm IPQ60xx SDK
Browse downloads.openwrt.org and navigate to targets/qualcommax/ipq60xx/ to grab the SDK tarball.

Then extract the SDK
```
cd ~
tar --use-compress-program=unzstd -xf openwrt-sdk-*.tar.zst
cd openwrt-sdk-qualcommax-ipq60xx_*
```

Prepare feeds

Inside SDK folder

echo "src-git packages https://git.openwrt.org/feed/packages.git
src-git luci https://git.openwrt.org/project/luci.git
src-git routing https://git.openwrt.org/feed/routing.git
src-git telephony https://git.openwrt.org/feed/telephony.git" > feeds.conf

Update:


./scripts/feeds update -a
./scripts/feeds install -a

Build required libraries
```
make package/libpcap/compile V=s
make package/openssl/compile V=s
make package/curl/compile V=s
```
Outputs appear inside staging_dir/target-aarch64_cortex-a53_musl/usr/include and taging_dir/target-aarch64_cortex-a53_musl/usr/lib.

Compile https_sensor.c

Use the SDK’s built-in cross-compiler:

export STAGING=staging_dir/target-aarch64_cortex-a53_musl
export TOOLCHAIN=staging_dir/toolchain-aarch64_cortex-a53_gcc-14.3.0_musl
export TARGET_CC=/bin/aarch64-openwrt-linux-musl-gcc

Now compile your sensor using Static binary


$TARGET_CC -static -O2 -Wall \
  -I$STAGING/usr/include \
  -L$STAGING/usr/lib \
  /location_of_file\
  -lpcap -lcurl -lssl -lcrypto\
  -o sensor

Copy binary to router

scp sensor root@router_ip_address:/tmp/sensor

Run on router

ssh root@192.168.0.1
chmod +x /tmp/sensor
/tmp/sensor

Sensors

Sensors form the data collection layer of the pDNS Privacy Shield architecture and are responsible for forwarding passive DNS data to the Privacy Shield. These sensors are deployed across heterogeneous environments, ranging from desktop computers and servers to embedded network routers. These platforms differ significantly in CPU capability, available memory, storage capacity, and supported software dependencies. As a result, a single sensor implementation would be inefficient or infeasible across all deployment scenarios.

To address this, multiple sensor implementations were developed and tailored for both resource-rich PC/server environments and resource-constrained routers. This design ensures efficient operation across diverse platforms without compromising performance, reliability, or privacy guarantees.

To evaluate these design choices, different packet sniffing implementations were benchmarked and compared in terms of CPU load, memory usage, storage consumption, and traffic captured, as summarised in the table below

Performance of Each Sniffer
Sniffer	Peak CPU Load (1 Minute)	Memory (Used)	Memory (Free)	Memory (Cached)	Storage (Space Used)	Traffic Captured (Packets)
Baseline	0.00	~190MB	~180MB	~30MB	~290KB	N/A
Tcpdump	0.03	~210MB	~170MB	~36MB	~6MB	16894
PassiveDNS	0.06	~226MB	~152MB	~56MB	~10MB	9528
Python Scapy Sniffer	0.38	~294MB	~83MB	~63MB	~16MB	3103

Sensors Used

PC/Servers (Python Based)

The PC/server sensor was implemented in Python and serves as the primary platform for development, testing, and full-scale deployments in resource-rich environments. As shown in the table above, the Python Scapy sniffer incurs higher CPU load, memory usage, and storage consumption compared to lightweight native sniffers. This overhead is primarily due to the Python interpreter and its associated libraries.

Despite this, Python was selected for its flexibility, extensive library ecosystem, and ease of debugging, which enabled rapid development and iteration of encryption, anonymization, and data transmission logic. In PC and server environments, where CPU, memory, and storage resources are readily available, these overheads remain acceptable and do not impact system stability or performance. As a result, the Python-based sensor is well suited for development, testing, and feature-rich deployments where maintainability and extensibility are prioritised.

Routers (Compiled Binary)

Routers are typically front-line devices that capture DNS traffic at the network edge. They operate in highly resource-constrained environments, often offering limited RAM, flash storage, and minimal software support. This is evident from the router configuration shown, where only approximately 30 MiB of RAM and 7.5 MiB of storage remain available.

To accommodate these constraints, the router sensor was implemented as a compiled binary targeting the aarch64 architecture. This approach eliminates the need for an interpreter or external runtime dependencies, significantly reducing both memory and storage requirements.

As reflected in the performance table, tools such as tcpdump and PassiveDNS exhibit substantially lower CPU and memory usage compared to the Python-based Scapy sniffer. These tools are implemented in C, a compiled language that is highly efficient and well suited for constrained environments. Their low overhead enables continuous packet capture on routers without degrading packet forwarding performance or system stability

In addition, packages like Tcpdump installed via package managers such as apk are extensively tested and maintained by official developers. They are optimized for performance, built with minimal dependencies, and free from unnecessary or redundant code that could introduce overhead. In contrast, open-source tools like PassiveDNS may include extra code for flexibility or extended features, which, while useful, can result in slightly higher resource usage and less streamlined performance

Summary

In conclusion, supporting multiple sensor implementations is necessary to ensure compatibility across a wide range of deployment environments. While Python-based sensors are suitable for PCs and servers due to their flexibility and ease of development, routers require lightweight, resource-efficient solutions. Since embedded systems typically lack a Python interpreter and operate under strict resource constraints, compiled C-based sniffers provide superior performance, lower memory usage, and greater compatibility. This platform-specific approach enables efficient and reliable pDNS data collection across the entire Privacy Shield architecture

The Shield

Why It Matters

Protection

Real-Time threat Intelligence

Open-Source

Insights

pDNS

Project Overview

Future Work

Sensors

Development Setup

Installation Manual

OUR TEAM

Alice Tan

John Doe

Jane Smith

Alice Tan

Contributors & Partners

Open Source Org

XYZ Corp

Join Us