PaulDotCom mailing list archives
Re: DNS Query capture and analysis
From: craig bowser <reswob10 () gmail com>
Date: Mon, 27 May 2013 12:39:40 -0400
There are two ways I have seen. Off the wire or at the DNS server itself.
From a high level, this is what you do.
If you do it off the wire, use tcpdump and filter for all port 53 TCP and UDP. You can then dump to pcap files and perform you analysis from there. If at the server, for both Windows and *NIX, you must turn on debug logging for the details. Then you can script the analysis of the logs on a periodic basis. In general you want to look for hits to blacklisted domains, the top 10, bottom 10, and top new domains. There are plenty of how-tos and such out there, but in self interest, I'll point to a project I did about a year ago. It's pretty basic, but there the MS Word document and Powerpoint slides have links and info that should provide more information: https://github.com/reswob10/ScourDNS Craig L Bowser ____________________________ This email is measured by size. Bits and bytes may have settled during transport. On Sun, May 26, 2013 at 9:53 PM, Tim Parker <timparkersec () gmail com> wrote:
What's the best way to capture and analyze DNS queries and responses on my LAN? Are there any good tools out there for this? I can run a full capture on the WAN interface, but then what's good for automating the extraction of the DNS traffic? Thanks! _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- DNS Query capture and analysis Tim Parker (May 27)
- Re: DNS Query capture and analysis Carlos Perez (May 27)
- Re: DNS Query capture and analysis Doug Burks (May 27)
- Re: DNS Query capture and analysis xgermx (May 27)
- Re: DNS Query capture and analysis craig bowser (May 27)
- Re: DNS Query capture and analysis Robin Wood (May 27)
- Re: DNS Query capture and analysis Harri Sylvander (May 27)
- Re: DNS Query capture and analysis John Bond (May 27)
- Re: DNS Query capture and analysis Ryan B (May 27)
- Re: DNS Query capture and analysis Frank McClain (May 28)
- Re: DNS Query capture and analysis Tim Parker (May 28)
- Re: DNS Query capture and analysis Jon Molesa (May 29)
- Re: DNS Query capture and analysis Ryan B (May 27)
- Re: DNS Query capture and analysis Jon Molesa (May 28)
- Re: DNS Query capture and analysis allison nixon (May 29)
- Re: DNS Query capture and analysis Jon Molesa (May 30)
- Re: DNS Query capture and analysis allison nixon (May 29)
(Thread continues...)