[Bro] DNS query logging

anthony kasza anthony.kasza at gmail.com
Wed Sep 11 18:27:29 PDT 2013


Are you using broctl or the bro binary?
What scripts do you have loaded that affect DNS and DNS logging?
Are you running against live traffic or a trace file? If on live traffic, I
assume you're running Bro on the DNS server at 10.85.30.71, are inbound
client queries+responses and outbound upstream queries+responses happening
on the same interface?

-AK


On Wed, Sep 11, 2013 at 3:53 PM, Jeremy Hoel <jthoel at gmail.com> wrote:

> So I'm testing out bro for a limited use on recording dns queries and
> responses.  I have the logs coming in and that's great, but I don't
> think I'm not seeing all the dns traffic.
>
> Example:
>
> via tcpdump with a BPF for just a client I get:
>
> 22:44:26.342201 IP 10.10.189.40.36221 > 10.10.189.225.53: 58059+ A?
> nike.com. (26)
> 22:44:26.412863 IP 10.10.189.225.53 > 10.10.189.40.36221: 58059 1/0/0
> A 66.54.56.30 (42)
>
> That makes sense.. request, and reply.
>
> Yet in the dns.log I see
>
> 1378939466.342353 10.10.189.225 64592 10.85.30.71 53 udp 11033
> nike.com 0 NOERROR F T T 66.54.56.30
> 1378939466.342201 10.10.189.40 36221 10.10.189.225 53 udp 58059
> nike.com 0 NOERROR F T T 66.54.56.30
>
> which shows the dns server talking to it's upstream server (expected)
> and then issues the answer to the client, but the original request
> isn't in the dns log.
>
> So assuming you get a response back from an upstream server, you can
> infer that the original requester was the second entry, but I was
> expecting to see an entry for the actual request to the 189.225
> server.
>
> Or am I not understanding something right?  I could probably look at
> the conn.log, but I am trying to just log the dns request, so I have
> conn.log turned off.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130911/8d0b04c7/attachment.html 


More information about the Bro mailing list