Fwd: BIND and Windows DNS logging and archiving

Mick Lee lmick5455 at gmail.com
Tue Aug 15 16:29:51 UTC 2017 

Forgot to CC the list.

---------- Forwarded message ----------
From: Mick Lee <lmick5455 at gmail.com>
Date: Sat, Aug 12, 2017 at 6:55 PM
Subject: Re: BIND and Windows DNS logging and archiving
To: Phil Mayers <p.mayers at imperial.ac.uk>


Thanks,

I checked and it doesn't look like dnscap would work with little change :(
 Anyway, my colleague has now implemented a similar tool called
dns-activity-logger.

I mention it here since it does DNS response logging, specifically for IP
addresses.  You get output similar to BIND query logging for responses too:

# Response logging is like query logging, but you get rcode, ans-count,
auth-count, add-count and a space separated list of IP's from the answer
section if any
Aug 12 17:47:25 dns01 dns-activity-logger[6476]: client 192.168.1.13#61835:
query: www.apple.com IN A + (192.168.1.200)
Aug 12 17:47:25 dns01 dns-activity-logger[6476]: client
192.168.1.200#61285: query: www.apple.com IN A + (192.168.1.1)
Aug 12 17:47:25 dns01 dns-activity-logger[6476]: client
192.168.1.200#61285: response: www.apple.com IN A + (192.168.1.1) NOERROR 4
0 1: 23.198.68.189
Aug 12 17:47:25 dns01 dns-activity-logger[6476]: client 192.168.1.13#61835:
response: www.apple.com IN A + (192.168.1.200) NOERROR 4 0 0: 23.198.68.189

It streams Syslog messages out in real-time over TCP, supports
auto-failover in case one Syslog server goes down, and buffers in memory so
doesn't require any disk I/O.

My initial use case was Windows, but after seeing the response logging I
think I will disable BIND query logging and just use this.

He's willing to make it available to the general public if there is any
interest.

Cheers

Mick

On Sun, Jul 23, 2017 at 5:15 PM, Phil Mayers <p.mayers at imperial.ac.uk>
wrote:

> On 23/07/2017 15:16, Mick Lee wrote:
>
> I have a colleague who has said he has a parts of a PCAP to BIND query log
>> agent that runs on UNIX platforms, and he is happy to port that to Windows
>> for me - he's actually working on it now (for a few beers :) ).
>>
>
> dnscap basically does the same thing. No idea how easy it would be to run
> under Windows.
>
> Absent changes to the resolving setup, I think that a capture/tap is
> probably your only realistic option.
>
> Depending on your architecture (physical, virtual, topology) the tap could
> live on another box, if all you need is to know that server A made a query
> for badzone B.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170815/1c933f39/attachment.html>

More information about the bind-users mailing list