[Bro] reverse DNS based on bro's forward DNS query log
stephane.chazelas at gmail.com
Thu Aug 23 07:48:45 PDT 2012
while I'm at sharing bro related stuff, I've got a setup here
that parses bro's DNS log in real time and updates the database
of a local DNS server (powerdns with mysql backend) so as to
provide with more useful PTR records.
$ tail -1 dns.log
1345732627.030897 jUJU3ZwGOv4 x.x.x.x 54866 x.x.x.x 53 udp 44687 static.ak.facebook.com 1 C_INTERNET 1 A 0 NOERROR F F
F T T 0 static.ak.facebook.com.edgesuite.net,a749.dsw4.akamai.net,188.8.131.52,184.108.40.206 3364.000000,348.000000,15.000000,15.000000
$ dig -x 220.127.116.11 +short
For many "cloud" IP addresses, it won't necessarily be useful,
but in many case, it gives more useful information than the
real PTR record.
Above, it tells us that 18.104.22.168 was last the result of a
query for an A record for static.ak.facebook.com (at 14:37:07),
and it gives you the result of the geoiplookup.
It can be generalised for other things (like for internal IP
addresses, I use other sources of information to feed the
If anybody is interested, I can post the intructions on how to
set it up along with the small perl script that parses the bro
dns logs here or on github.
More information about the Bro