[Bro] DNS query logging

anthony kasza anthony.kasza at gmail.com
Wed Sep 11 18:28:20 PDT 2013 

*on the DNS server at 10.10.189.225


On Wed, Sep 11, 2013 at 6:27 PM, anthony kasza <anthony.kasza at gmail.com>wrote:

> Are you using broctl or the bro binary?
> What scripts do you have loaded that affect DNS and DNS logging?
> Are you running against live traffic or a trace file? If on live traffic,
> I assume you're running Bro on the DNS server at 10.85.30.71, are inbound
> client queries+responses and outbound upstream queries+responses happening
> on the same interface?
>
> -AK
>
>
> On Wed, Sep 11, 2013 at 3:53 PM, Jeremy Hoel <jthoel at gmail.com> wrote:
>
>> So I'm testing out bro for a limited use on recording dns queries and
>> responses.  I have the logs coming in and that's great, but I don't
>> think I'm not seeing all the dns traffic.
>>
>> Example:
>>
>> via tcpdump with a BPF for just a client I get:
>>
>> 22:44:26.342201 IP 10.10.189.40.36221 > 10.10.189.225.53: 58059+ A?
>> nike.com. (26)
>> 22:44:26.412863 IP 10.10.189.225.53 > 10.10.189.40.36221: 58059 1/0/0
>> A 66.54.56.30 (42)
>>
>> That makes sense.. request, and reply.
>>
>> Yet in the dns.log I see
>>
>> 1378939466.342353 10.10.189.225 64592 10.85.30.71 53 udp 11033
>> nike.com 0 NOERROR F T T 66.54.56.30
>> 1378939466.342201 10.10.189.40 36221 10.10.189.225 53 udp 58059
>> nike.com 0 NOERROR F T T 66.54.56.30
>>
>> which shows the dns server talking to it's upstream server (expected)
>> and then issues the answer to the client, but the original request
>> isn't in the dns log.
>>
>> So assuming you get a response back from an upstream server, you can
>> infer that the original requester was the second entry, but I was
>> expecting to see an entry for the actual request to the 189.225
>> server.
>>
>> Or am I not understanding something right?  I could probably look at
>> the conn.log, but I am trying to just log the dns request, so I have
>> conn.log turned off.
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130911/853ec793/attachment.html

More information about the Bro mailing list