<div dir="ltr"><div>Forgot to CC the list.</div><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Mick Lee</b> <span dir="ltr"><<a href="mailto:lmick5455@gmail.com">lmick5455@gmail.com</a>></span><br>Date: Sat, Aug 12, 2017 at 6:55 PM<br>Subject: Re: BIND and Windows DNS logging and archiving<br>To: Phil Mayers <<a href="mailto:p.mayers@imperial.ac.uk">p.mayers@imperial.ac.uk</a>><br><br><br><div dir="ltr">Thanks,<div><br></div><div>I checked and it doesn't look like dnscap would work with little change :( Anyway, my colleague has now implemented a similar tool called dns-activity-logger.<div><br></div><div>I mention it here since it does DNS response logging, specifically for IP addresses. You get output similar to BIND query logging for responses too:</div><div><br></div><div># Response logging is like query logging, but you get rcode, ans-count, auth-count, add-count and a space separated list of IP's from the answer section if any</div><div><div>Aug 12 17:47:25 dns01 dns-activity-logger[6476]: client 192.168.1.13#61835: query: <a href="http://www.apple.com" target="_blank">www.apple.com</a> IN A + (192.168.1.200)</div><div>Aug 12 17:47:25 dns01 dns-activity-logger[<wbr>6476]: client 192.168.1.200#61285: query: <a href="http://www.apple.com" target="_blank">www.apple.com</a> IN A + (192.168.1.1)</div><div>Aug 12 17:47:25 dns01 dns-activity-logger[<wbr>6476]: client 192.168.1.200#61285: response: <a href="http://www.apple.com" target="_blank">www.apple.com</a> IN A + (192.168.1.1) NOERROR 4 0 1: 23.198.68.189</div><div>Aug 12 17:47:25 dns01 dns-activity-logger[<wbr>6476]: client 192.168.1.13#61835: response: <a href="http://www.apple.com" target="_blank">www.apple.com</a> IN A + (192.168.1.200) NOERROR 4 0 0: 23.198.68.189</div><div><br></div><div>It streams Syslog messages out in real-time over TCP, supports auto-failover in case one Syslog server goes down, and buffers in memory so doesn't require any disk I/O.</div><div><br></div><div>My initial use case was Windows, but after seeing the response logging I think I will disable BIND query logging and just use this.</div><div><br></div><div>He's willing to make it available to the general public if there is any interest.</div><div><br></div><div>Cheers</div><div><br></div><div>Mick</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Jul 23, 2017 at 5:15 PM, Phil Mayers <span dir="ltr"><<a href="mailto:p.mayers@imperial.ac.uk" target="_blank">p.mayers@imperial.ac.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 23/07/2017 15:16, Mick Lee wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I have a colleague who has said he has a parts of a PCAP to BIND query log agent that runs on UNIX platforms, and he is happy to port that to Windows for me - he's actually working on it now (for a few beers :) ).<br>
</blockquote>
<br>
dnscap basically does the same thing. No idea how easy it would be to run under Windows.<br>
<br>
Absent changes to the resolving setup, I think that a capture/tap is probably your only realistic option.<br>
<br>
Depending on your architecture (physical, virtual, topology) the tap could live on another box, if all you need is to know that server A made a query for badzone B.<br>
</blockquote></div><br></div></div></div>
</div><br></div>