[Bro] DNS query logging

Jeremy Hoel jthoel at gmail.com
Wed Sep 11 15:53:25 PDT 2013

So I'm testing out bro for a limited use on recording dns queries and
responses.  I have the logs coming in and that's great, but I don't
think I'm not seeing all the dns traffic.


via tcpdump with a BPF for just a client I get:

22:44:26.342201 IP > 58059+ A?
nike.com. (26)
22:44:26.412863 IP > 58059 1/0/0
A (42)

That makes sense.. request, and reply.

Yet in the dns.log I see

1378939466.342353 64592 53 udp 11033
nike.com 0 NOERROR F T T
1378939466.342201 36221 53 udp 58059
nike.com 0 NOERROR F T T

which shows the dns server talking to it's upstream server (expected)
and then issues the answer to the client, but the original request
isn't in the dns log.

So assuming you get a response back from an upstream server, you can
infer that the original requester was the second entry, but I was
expecting to see an entry for the actual request to the 189.225

Or am I not understanding something right?  I could probably look at
the conn.log, but I am trying to just log the dns request, so I have
conn.log turned off.

More information about the Bro mailing list