How can I record and maybe monitor all DNS requests and replies?
-
I clearly show pkg_add in what I typed, so not sure why you would see pkg-add
Shows you have a syntax error? unknown command do you have a issue with ftp on your install of pfsense?
Why don't you just download the package directly from the correct location?
http://ftp-archive.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/All/dnstop-20110502.tbz
edit: then add it from there
wget http://ftp-archive.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/All/dnstop-20110502.tbz
–2014-04-21 05:51:09-- http://ftp-archive.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.3-release/All/dnstop-20110502.tbz
Resolving ftp-archive.freebsd.org (ftp-archive.freebsd.org)... 128.205.32.24
Connecting to ftp-archive.freebsd.org (ftp-archive.freebsd.org)|128.205.32.24|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 22846 (22K) [application/x-bzip-compressed-tar]
Saving to: `dnstop-20110502.tbz'100%[=========================================================================================>] 22,846 –.-K/s in 0.1s
2014-04-21 05:51:09 (219 KB/s) - `dnstop-20110502.tbz' saved [22846/22846]
-
I clearly show pkg_add in what I typed, so not sure why you would see pkg-add
Shows you have a syntax error? unknown command do you have a issue with ftp on your install of pfsense?
I'm not sure why I saw pkg-add, I guess I copied it wrong. I downloaded that file and then uploaded it through the web interface to /tmp. Then on the console I switched to /tmp and ran pkg_add dnstop-20110502.tbz. That installed it to /usr/local/bin which isn't in my path. I was able to start it this way:
/usr/local/bin/dnstop -l 9 ovpnc1ovpnc1 is my OpenVPN interface. After starting I switched to level 9 (the highest level) by pressing the 9 key. Now I can see the domain names that are requested. This is good and I appreciate the help but I'd really like to be able to log all requests and replies to a file, so if anyone figures out how to do that please let me know.
If I create a special rule in the firewall to log all traffic to TCP/UDP 53 then that will show the names requested as well, and I guess I can parse the hosts from that. But is there a way for that logging to be separate from the other logging? In other words can I have a special log for a single rule?
-
You can't have a completely separate log, but you can easily just grep for the rule number, as it should be the same every time.
Edit: or just grep for a DNS query in general. I'm able to watch DNS queries live with:
tail -f /var/log/pfsense.log | grep -E "[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.53"
-
Make them use the DNS Forwarder, then go to System > DNS Forwarder, add "log-queries" to the advanced options, and then monitor the resolver log.
-
Thanks for the ideas guys, I'll give them a try. I don't have a /var/log/pfsense.log though.
-
Sorry, that's my remote syslog path. In the default install it'd be clog /var/log/system.log
-
Does dnstop provides the information of the ip address and macid of the client from where the dns requests are generated?
-
it gives you the IP if you want it.. mac address would only be useful if the dns was on same Layer 2 as the requestor..
-
That works great. Because I can use the DHCP logs stored in a remote host. I can get the macid which uses the IP address from that. Can you please help me with storing the dnstop logs in a remote host too?
-
dns top doesn't really log.. you can load in a tcpdump "savefile".
http://linux.die.net/man/8/dnstop
dnstop is a small tool to listen on device or to parse the file savefile and collect and print statistics on the local network's DNS traffic. You must have read access to /dev/bpf*.
dnstop [-46apsQR] [-b expression] [-i address] [-f filter] [-r interval] [device] [savefile]So you could log traffic on 53 tcp/udp with say tcpdump and then to via what was queried you could have dnstop parse the dump.. You could do a tcpdump in a loop to have lots of different files for say each day, etc..
dnstop is great for keep an active eye on what is being queried and from who and what is most queried, etc.. But not really a good choice for archival of dns queries. Your best bet in that case would be to have dnsmasq log and send that to syslog, or have bind log and would send that to syslog as well so you could have them on different machine.
