hello guys / gals.

i would like to log my networks dns requests, just to compare those to bad_hosts and malware_domains lists.

i dont need written script, just friendly nudge towards right (module) direction :P

1. Are you using your own nameserver, or trying to do this at the client side?
2. What are you running, and a bit about the hardware and network please?

thanks bud for the reply

client side, basically i need just packet sniffer which listens to tcp/udp 53 and writes em to dns_log.txt
i think some dns traffic uses https, am i right ? if thats the case i cant sniff it.

i use 8.8.8.8 and 8.8.4.4 nameservers. <- googles nameservers.

using OpenBSD , at Linux there is program called "passivedns" i have tried to compile it with BSD but couldnt do it.
https://github.com/gamelinux/passivedns

at my linux box i use ^that program to log dns traffic, i need to do that now at OpenBSD. and with perl.

I have run my own DNS server (Caching and forwarding) in my home network, and could set it's logs to provide information that would serve this purpose. That would be easy.

To do this on the client side, and where some or all requests may use encrypted DNS, might take some research into the network and require a special kernel module. That sounds like a fun project, but I have no resources to spend on that right now.

It might be somewhat workable to track just traditional resolution calls going out to your nemeserver. Perhaps a better option would by to install and use something like DNSMASQ and cache name service directly on your client. This has the advantage of reducing DNS calls going outside your box, speeding up some kinds of network activity (in some cases a lot), and providing you something that can LOG all of that traffic. That is the solution I would check out before setting out to reinvent the horse.

Keep in mind that you are creating a log that can, unless managed, grow without bound. You must consider and manage your log size and storage space. Logrotate can be your friend here, but make sure that it can only run after you have parsed the data you need out of the logs.

All of this, of course, assumes that the logging is your goal. If your real goal is to write a PERL script then we need a different solution path.

1 members found this post helpful.

yeah, i think i could set up my own DNS server, i like to practice new things.
my box has 100G var partition and 1.3T home partition so dns logs can be as big as they get.

now i have to read about dns servers.

thanks.

For this purpose BIND would be overkill. you only need a caching DNS server that can log activity. There are smaller and faster options than BIND for that, and generally easier to understand and manage.

1 members found this post helpful.

would Unbound be good ? i think it is part of OpenBSD install if i remember correctly.

I have never used unbound. It does DNS over TLS, so it should be secure, but requires you to manage your keys. Are you comfortable with that?

It may also be overkill for what you need, but I have nothing negative to say about it. I would hope someone with experience with it might weigh in.

i found a solution, it is program called zeek.
https://docs.zeek.org/en/master/quickstart.html

it logs all dns traffic to text.logs
and it is full of different usage modes, not just logging of dns traffic.
https://docs.zeek.org/en/master/log-formats.html

screeny here :

https://i.imgur.com/zpI0d0E.png

1 members found this post helpful.