Mullvad_DNS (New Analyzer)

[AnshSinghal]

Closes #2756

Description

This PR adds the "Mullvad_DNS" analyzer. The analyzer queries Mullvad's DNS-over-HTTPS service (using the "base" endpoint) to check a domain's DNS records. It supports two modes:
-"query": Returns raw DNS answer data.
-"malicious": Interprets an NXDOMAIN (rcode==3) as the domain being blocked (i.e., malicious).

Type of change

Please delete options that are not relevant.

• New feature (non-breaking change which adds functionality).

Checklist

• I have read and understood the rules about how to Contribute to this project
• The pull request is for the branch develop
• A new plugin (analyzer, connector, visualizer, playbook, pivot or ingestor) was added or changed, in which case:
  • I strictly followed the documentation "How to create a Plugin"
  • Usage file was updated. A link to the PR to the docs repo has been added as a comment here.
  • Advanced-Usage was updated (in case the plugin provides additional optional configuration). A link to the PR to the docs repo has been added as a comment here.
  • I have dumped the configuration from Django Admin using the dumpplugin command and added it in the project as a data migration. ("How to share a plugin with the community")
  • If a File analyzer was added and it supports a mimetype which is not already supported, you added a sample of that type inside the archive test_files.zip and you added the default tests for that mimetype in test_classes.py.
  • If you created a new analyzer and it is free (does not require any API key), please add it in the FREE_TO_USE_ANALYZERS playbook by following this guide.
  • Check if it could make sense to add that analyzer/connector to other freely available playbooks.
  • I have provided the resulting raw JSON of a finished analysis and a screenshot of the results.
  • If the plugin interacts with an external service, I have created an attribute called precisely url that contains this information. This is required for Health Checks.
  • If the plugin requires mocked testing, _monkeypatch() was used in its class to apply the necessary decorators.
  • I have added that raw JSON sample to the MockUpResponse of the _monkeypatch() method. This serves us to provide a valid sample for testing.
• I have inserted the copyright banner at the start of the file: # This file is a part of IntelOwl https://github.com/intelowlproject/IntelOwl # See the file 'LICENSE' for copying permission.
• If external libraries/packages with restrictive licenses were used, they were added in the Legal Notice section.
• Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
• I have added tests for the feature/bug I solved (see tests folder). All the tests (new and old ones) gave 0 errors.
• If the GUI has been modified:
  • I have a provided a screenshot of the result in the PR.
  • I have created new frontend tests for the new component or updated existing ones.
• After you had submitted the PR, if DeepSource, Django Doctors or other third-party linters have triggered any alerts during the CI checks, I have solved those alerts.

Important Rules

• If you miss to compile the Checklist properly, your PR won't be reviewed by the maintainers.
• Everytime you make changes to the PR and you think the work is done, you should explicitly ask for a review by using GitHub's reviewing system detailed here.

Raw Json for "malicious mode"

"analyzer_reports": [
    {
        "name": "Mullvad_DNS",
        "process_time": 5.45,
        "status": "SUCCESS",
        "end_time": "2025-02-20T16:29:18.921513Z",
        "parameters": {
            "mode": "malicious"
        },
        "type": "analyzer",
        "id": 6,
        "report": {
            "note": "Domain is blocked by Mullvad DNS content filtering.",
            "malicious": true,
            "observable": "mp3raid.com/music/krizz_kaliko.html"
        },
        "errors": [],
        "start_time": "2025-02-20T16:29:13.471848Z",
        "description": "This analyzer queries Mullvad's DNS-over-HTTPS service (using the \"base\" endpoint) to check a domain's DNS records. It supports two modes:\r\n- \"query\": returns raw DNS answer data.\r\n- \"malicious\": interprets an NXDOMAIN (rcode==3) as the domain being blocked (i.e., malicious).",
        "data_model": {}
    }
],

Raw Json for "query mode"

"analyzer_reports": [
    {
        "name": "Mullvad_DNS",
        "process_time": 3.12,
        "status": "SUCCESS",
        "end_time": "2025-02-20T16:19:16.859514Z",
        "parameters": {
            "mode": "query"
        },
        "type": "analyzer",
        "id": 2,
        "report": {
            "data": [
                "anshsinghal.tech. 1800 IN A 64.29.17.2\nanshsinghal.tech. 1800 IN A 66.33.60.34"
            ],
            "status": "success",
            "message": "DNS query for anshsinghal.tech completed successfully."
        },
        "errors": [],
        "start_time": "2025-02-20T16:19:13.735227Z",
        "description": "This analyzer queries Mullvad's DNS-over-HTTPS service (using the \"base\" endpoint) to check a domain's DNS records. It supports two modes:\r\n- \"query\": returns raw DNS answer data.\r\n- \"malicious\": interprets an NXDOMAIN (rcode==3) as the domain being blocked (i.e., malicious).",
        "data_model": {}
    }
],

[AnshSinghal]

@fgibertoni if you can please review

[g4ze]

to begin with, pls have a look at the comments i made and rectify.

[g4ze]

also, pls look into the ci error checks. It might be something related to a bad migration.

[AnshSinghal]

also, pls look into the ci error checks. It might be something related to a bad migration.

After carefully reviewing the CLI logs, my migration file and analyzer code, the issue seems to be due to environmental misconfigurations
missing .env.start.test
Docker image tag errors and an invalid export statement.

[g4ze]

umm no. just saw, your migration number is not right, it should be 152 technically and be dependant upon 151 :)

[g4ze]

could you let me know why support generic as well? maybe lmk an example?

[AnshSinghal]

Generic support covers full URLs with paths like 'mp3raid.com/music/krizz_kaliko.html' that don't clearly fall into 'domain' or 'url' categories.
example- urls like "mp3raid.com" returns NOERROR but mp3raid.com/music/krizz_kaliko.html returns NXDOMAIN.

[g4ze]

mp3raid.com/music/krizz_kaliko.html

should classify as a url, if not you'd have to make sure that you verify all the requests coming through generic that they are something similar to what you want and not random names or numbers

[AnshSinghal]

got it. I will remove the generic from the analyzer config

[g4ze]

just crosscheck with and without it once for a string like mp3raid.com/music/krizz_kaliko.html

[g4ze]

pls add docs as well

[AnshSinghal]

pls add docs as well

Sure! once the issues in the code gets resolved I will update the Usage docs as well in the final PR

[g4ze]

one more change and then i think @mlodic can have a look at it. lgtm.

[fgibertoni]

Thanks for your work, I added some considerations.

[AnshSinghal]

Hi @mlodic if this looks good can you please merge it so that I can work on another analyzer BBot.

[fgibertoni]

lgtm! thank you for your work @AnshSinghal!

[fgibertoni]

We can wait for Matteo's final feedback and merge but I think you can start working on the other analyzer. I assigned it to you 😄

[mlodic]

last little things and then we can merge

[mlodic]

for each log, it is important to keep track of the original observable, otherwise there is no way to distinguish one analyzer execution from another

[mlodic]

either debug level or removed

[mlodic]

observable reference missing