[Bro] DNS query logging

anthony kasza anthony.kasza at gmail.com
Wed Sep 11 18:27:29 PDT 2013

Are you using broctl or the bro binary?
What scripts do you have loaded that affect DNS and DNS logging?
Are you running against live traffic or a trace file? If on live traffic, I
assume you're running Bro on the DNS server at, are inbound
client queries+responses and outbound upstream queries+responses happening
on the same interface?


On Wed, Sep 11, 2013 at 3:53 PM, Jeremy Hoel <jthoel at gmail.com> wrote:

> So I'm testing out bro for a limited use on recording dns queries and
> responses.  I have the logs coming in and that's great, but I don't
> think I'm not seeing all the dns traffic.
> Example:
> via tcpdump with a BPF for just a client I get:
> 22:44:26.342201 IP > 58059+ A?
> nike.com. (26)
> 22:44:26.412863 IP > 58059 1/0/0
> A (42)
> That makes sense.. request, and reply.
> Yet in the dns.log I see
> 1378939466.342353 64592 53 udp 11033
> nike.com 0 NOERROR F T T
> 1378939466.342201 36221 53 udp 58059
> nike.com 0 NOERROR F T T
> which shows the dns server talking to it's upstream server (expected)
> and then issues the answer to the client, but the original request
> isn't in the dns log.
> So assuming you get a response back from an upstream server, you can
> infer that the original requester was the second entry, but I was
> expecting to see an entry for the actual request to the 189.225
> server.
> Or am I not understanding something right?  I could probably look at
> the conn.log, but I am trying to just log the dns request, so I have
> conn.log turned off.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130911/8d0b04c7/attachment.html 

More information about the Bro mailing list