Recent Events for foo.be MainPageDiary (Blog)

PassiveDNSin5Minutes

How to install and setup a minimal passive DNS monitoring sensor?

Contents

  1. dnscap installation
    1. libbind
    2. dnscap
    3. running dnscap
      1. sample output
    4. dnscap Patched Version

dnscap installation

libbind

In order to install dnscap, you'll need to install libbind. The easiest is to build a recent bind to get the latest version of the library (http://www.isc.org/software/libbind/). Previously the library was included in Bind but this is not the case any more.

cd ./libbind-x-y-z
./configure
make
make install

dnscap

svn export https://tools.isc.org/svn/dnscap
cd dnscap/trunk

Update the Makefile to match the recent version to add the "dns" parameter.

BINDCFLAGS= `PATH=/usr/local/bin:$$PATH isc-config.sh --cflags dns`
BINDLDFLAGS= `PATH=/usr/local/bin:$$PATH isc-config.sh --libs dns`

running dnscap

dnscap can be run in pcap-like mode (a pcap file name is saved at a defined interval) or output dig-like line on stderr.

For dig-like output:

./dnscap -sr -i eth1 -g

-sr → select response only

For pcap output:

./dnscap -sr -i eth1 -w passivedns.cap

sample output

[120] 2011-02-17 19:44:42.390051 [#15 eth1 0] \
	[192.168.1.1].53 [192.168.1.5].32801  \
	dns QUERY,NOERROR,5280,qr|rd|ra \
	1 gmpg.org,IN,AAAA 0 \
	1 gmpg.org,IN,SOA,1898,ns1.mobiusltd.com,mmmmmm.gmail.com,2009030401,14400,7200,3600000,86400 0
[82] 2011-02-17 19:44:42.390056 [#16 eth1 0] \
	[192.168.1.1].53 [192.168.1.5].34614  \
	dns QUERY,NOERROR,55447,qr|rd|ra \
	1 www.librarything.com,IN,A \
	1 www.librarything.com,IN,A,4753,74.201.105.31 0 0
[76] 2011-02-17 19:44:42.390060 [#17 eth1 0] \
	[192.168.1.1].53 [192.168.1.5].60897  \
	dns QUERY,NOERROR,60585,qr|rd|ra \
	1 member.fsf.org,IN,A \
	1 member.fsf.org,IN,A,300,140.186.70.131 0 0
[70] 2011-02-17 19:44:42.414862 [#18 eth1 0] \
	[192.168.1.1].53 [192.168.1.5].39617  \
	dns QUERY,NOERROR,8797,qr|rd|ra \
	1 gmpg.org,IN,A \
	1 gmpg.org,IN,A,14308,70.85.203.194 0 0
[133] 2011-02-17 19:44:42.419421 [#19 eth1 0] \
	[192.168.1.1].53 [192.168.1.5].39261  \
	dns QUERY,NOERROR,22263,qr|rd|ra \
	1 www.gnu.org,IN,AAAA \
	1 www.gnu.org,IN,CNAME,74,wildebeest.gnu.org \
	1 gnu.org,IN,SOA,28,ns1.gnu.org,hostmaster.gnu.org,2011020203,3600,120,1209600,3600 0
[98] 2011-02-17 19:44:42.617965 [#20 eth1 0] \
	[192.168.1.1].53 [192.168.1.5].55122  \
	dns QUERY,NOERROR,21689,qr|rd|ra \
	1 www.gnu.org,IN,A \
	2 www.gnu.org,IN,CNAME,74,wildebeest.gnu.org \
	wildebeest.gnu.org,IN,A,85,140.186.70.148 0 0

dnscap Patched Version

Recent Events for foo.be MainPageDiary (Blog)
This page is read-only View other revisions Administration
Last edited 2011-02-22 18:17 UTC by AlexandreDulaunoy (diff)

[FSF Associate Member] Librarything profile for adulau XFN Friendly
if not specified on the wiki page, Copyright © Alexandre (adulau) Dulaunoy. This work is licensed to you under version 2 of the GNU General Public License. Alternatively, you may choose to receive this work under any other license that grants the right to use, copy, modify, and/or distribute the work, as long as that license imposes the restriction that derivative works have to grant the same rights and impose the same restriction. For example, you may choose to receive this work under the GNU Free Documentation License, the CreativeCommons ShareAlike License, the XEmacs manual license, or similar free licenses.