DNS logs Anonymization


I’ve just started using Zeek to collect DNS logs by running it from the CLI. I want to anonymize the IPs contained in these logs. How should I go about it?



We wrote a C++ program that uses the CryptoPANT library (https://ant.isi.edu/software/cryptopANT/index.html). We first considered using CryptoPAN (https://www.cc.gatech.edu/computing/Telecomm/projects/cryptopan/ ; seems to be unavailable at the moment) but found the other library much easier to use and it is actively maintained.



There are multiple ways to go about it. One consideration is whether or not you want to be able to map back to the original IP from the anonymized one. Another consideration is if you intend to anonymize every IP in the log, or just specific IPs/subnets.

You could post-process the logs like Mark suggested with something like CryptopANT. In addition to the lib they provide an example binary called scramble_ips that might do what you need.

You could also do this (sort of) in Zeek script within a DNS::log_dns event handler. There is a BIF called remask_addr (https://docs.zeek.org/en/stable/scripts/base/bif/zeek.bif.zeek.html#id-remask_addr) that allows you take subnet bits from one address and host bits of another and combine them to create a new address. Here’s an example of its usage: http://try.zeek.org/#/tryzeek/saved/364768. I say “sort of” because the original IP’s aren’t truly anonymized, they are mapped into a new subnet. But that might obscure the real addresses enough - it depends on your requirements.