Recent Events for foo.be MainPageDiary (Blog)

PassiveDNSin5Minutes

How to install and setup a minimal passive DNS monitoring sensor?

dnscap installation

libbind

In order to install dnscap, you'll need to install libbind. The easiest is to build a recent bind to get the latest version of the library (http://www.isc.org/software/libbind/). Previously the library was included in Bind but this is not the case any more.

cd ./libbind-x-y-z
./configure
make
make install

dnscap

svn export https://tools.isc.org/svn/dnscap
cd dnscap/trunk

Update the Makefile to match the recent version to add the "dns" parameter.

BINDCFLAGS= `PATH=/usr/local/bin:$$PATH isc-config.sh --cflags dns`
BINDLDFLAGS= `PATH=/usr/local/bin:$$PATH isc-config.sh --libs dns`

running dnscap

dnscap can be run in pcap-like mode (a pcap file name is saved at a defined interval) or output dig-like line on stderr.

For dig-like output:

./dnscap -sr -i eth1 -g

-sr → select response only

For pcap output:

./dnscap -sr -i eth1 -w passivedns.cap

sample output

[120] 2011-02-17 19:44:42.390051 [#15 eth1 0] \
	[192.168.1.1].53 [192.168.1.5].32801  \
	dns QUERY,NOERROR,5280,qr|rd|ra \
	1 gmpg.org,IN,AAAA 0 \
	1 gmpg.org,IN,SOA,1898,ns1.mobiusltd.com,mmmmmm.gmail.com,2009030401,14400,7200,3600000,86400 0
[82] 2011-02-17 19:44:42.390056 [#16 eth1 0] \
	[192.168.1.1].53 [192.168.1.5].34614  \
	dns QUERY,NOERROR,55447,qr|rd|ra \
	1 www.librarything.com,IN,A \
	1 www.librarything.com,IN,A,4753,74.201.105.31 0 0
[76] 2011-02-17 19:44:42.390060 [#17 eth1 0] \
	[192.168.1.1].53 [192.168.1.5].60897  \
	dns QUERY,NOERROR,60585,qr|rd|ra \
	1 member.fsf.org,IN,A \
	1 member.fsf.org,IN,A,300,140.186.70.131 0 0
[70] 2011-02-17 19:44:42.414862 [#18 eth1 0] \
	[192.168.1.1].53 [192.168.1.5].39617  \
	dns QUERY,NOERROR,8797,qr|rd|ra \
	1 gmpg.org,IN,A \
	1 gmpg.org,IN,A,14308,70.85.203.194 0 0
[133] 2011-02-17 19:44:42.419421 [#19 eth1 0] \
	[192.168.1.1].53 [192.168.1.5].39261  \
	dns QUERY,NOERROR,22263,qr|rd|ra \
	1 www.gnu.org,IN,AAAA \
	1 www.gnu.org,IN,CNAME,74,wildebeest.gnu.org \
	1 gnu.org,IN,SOA,28,ns1.gnu.org,hostmaster.gnu.org,2011020203,3600,120,1209600,3600 0
[98] 2011-02-17 19:44:42.617965 [#20 eth1 0] \
	[192.168.1.1].53 [192.168.1.5].55122  \
	dns QUERY,NOERROR,21689,qr|rd|ra \
	1 www.gnu.org,IN,A \
	2 www.gnu.org,IN,CNAME,74,wildebeest.gnu.org \
	wildebeest.gnu.org,IN,A,85,140.186.70.148 0 0

dnscap Patched Version