Just realized I forgot to include a link: https://www.nospaceships.com/products/dns-logger.html
Mick On Wed, Apr 11, 2018 at 10:37 PM, Mick Lee <lmick5...@gmail.com> wrote: > Hi All, > > Sometime ago I posted about capturing DNS activity (queries and responses) > for both BIND and Windows DNS, and my colleague had a tool which he ported > to Windows for me. This tool is called dns-logger. > > His company NoSpaceships, has just released the dns-logger product, > available free for anyone to use. > > It currently supports JSON and ISC BIND formatted Syslog based messages > (and also includes responses). They have indicated they look to support > dnstap as an output format too (useful if you are not running BIND). > > This may be a little off-topic, but I thought I would post anyway since I > am finding it quite useful. > > Hopefully someone will find this useful. > > Mick > > On Tue, Aug 15, 2017 at 5:29 PM, Mick Lee <lmick5...@gmail.com> wrote: > >> Forgot to CC the list. >> >> ---------- Forwarded message ---------- >> From: Mick Lee <lmick5...@gmail.com> >> Date: Sat, Aug 12, 2017 at 6:55 PM >> Subject: Re: BIND and Windows DNS logging and archiving >> To: Phil Mayers <p.may...@imperial.ac.uk> >> >> >> Thanks, >> >> I checked and it doesn't look like dnscap would work with little change >> :( Anyway, my colleague has now implemented a similar tool called >> dns-activity-logger. >> >> I mention it here since it does DNS response logging, specifically for IP >> addresses. You get output similar to BIND query logging for responses too: >> >> # Response logging is like query logging, but you get rcode, ans-count, >> auth-count, add-count and a space separated list of IP's from the answer >> section if any >> Aug 12 17:47:25 dns01 dns-activity-logger[6476]: client >> 192.168.1.13#61835: query: www.apple.com IN A + (192.168.1.200) >> Aug 12 17:47:25 dns01 dns-activity-logger[6476]: client >> 192.168.1.200#61285: query: www.apple.com IN A + (192.168.1.1) >> Aug 12 17:47:25 dns01 dns-activity-logger[6476]: client >> 192.168.1.200#61285: response: www.apple.com IN A + (192.168.1.1) >> NOERROR 4 0 1: 23.198.68.189 >> Aug 12 17:47:25 dns01 dns-activity-logger[6476]: client >> 192.168.1.13#61835: response: www.apple.com IN A + (192.168.1.200) >> NOERROR 4 0 0: 23.198.68.189 >> >> It streams Syslog messages out in real-time over TCP, supports >> auto-failover in case one Syslog server goes down, and buffers in memory so >> doesn't require any disk I/O. >> >> My initial use case was Windows, but after seeing the response logging I >> think I will disable BIND query logging and just use this. >> >> He's willing to make it available to the general public if there is any >> interest. >> >> Cheers >> >> Mick >> >> On Sun, Jul 23, 2017 at 5:15 PM, Phil Mayers <p.may...@imperial.ac.uk> >> wrote: >> >>> On 23/07/2017 15:16, Mick Lee wrote: >>> >>> I have a colleague who has said he has a parts of a PCAP to BIND query >>>> log agent that runs on UNIX platforms, and he is happy to port that to >>>> Windows for me - he's actually working on it now (for a few beers :) ). >>>> >>> >>> dnscap basically does the same thing. No idea how easy it would be to >>> run under Windows. >>> >>> Absent changes to the resolving setup, I think that a capture/tap is >>> probably your only realistic option. >>> >>> Depending on your architecture (physical, virtual, topology) the tap >>> could live on another box, if all you need is to know that server A made a >>> query for badzone B. >>> >> >> >> >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
