[Bro] reverse DNS based on bro's forward DNS query log

Stephane Chazelas stephane.chazelas at gmail.com
Thu Aug 23 07:48:45 PDT 2012


while I'm at sharing bro related stuff, I've got a setup here
that parses bro's DNS log in real time and updates the database
of a local DNS server (powerdns with mysql backend) so as to
provide with  more  useful PTR records.

$ tail -1 dns.log
1345732627.030897       jUJU3ZwGOv4     x.x.x.x      54866   x.x.x.x   53      udp     44687   static.ak.facebook.com  1       C_INTERNET      1       A       0       NOERROR F     F
        F       T       T       0       static.ak.facebook.com.edgesuite.net,a749.dsw4.akamai.net,,     3364.000000,348.000000,15.000000,15.000000

$ dig -x +short

For many "cloud" IP addresses, it won't necessarily be useful,
but in many case, it gives more useful information than the
real PTR record.

Above, it tells us that was last the result of a
query for an A record for static.ak.facebook.com (at 14:37:07),
and it gives you the result of the geoiplookup.

It can be generalised for other things (like for internal IP
addresses, I use other sources of information to feed the
powerdns database).

If anybody is interested, I can post the intructions on how to
set it up along with the small perl script that parses the bro
dns logs here or on github.


