PaulDotCom mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS Query capture and analysis

From: Harri Sylvander <harri () sylvander net>
Date: Mon, 27 May 2013 22:09:26 +0400
Hey Tim,

On 2013-05-27, at 05:53 , Tim Parker <timparkersec () gmail com> wrote:

What's the best way to capture and analyze DNS queries and responses on my LAN?  Are there any good tools out there 
for this?  I can run a full capture on the WAN interface, but then what's good for automating the extraction of the 
DNS traffic?



I'll go for the default "it depends" answer and then qualify that. Are you looking to capture queries and responses or 
queries, responses and who asked? If you're not too concerned with who's asking and when exaclty something was asked 
for, but rather a general "what IP was associated with this FQDN in the past" type of deal, then I suggest you take a 
look at passive DNS.

ISC, the makers of BIND & al, have released the source to their implementation. Take a look here for more details:

    https://sie.isc.org/Passive_DNS/

The more traffic your caching resolvers get, the more interesting stuff you might be able to pull out from the pDNS 
data. YMMV, but I urge you to take a peek if you haven't done so in the past.



Cheers,

Harri

--
Harri Sylvander
harri () sylvander net
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
Previous By Date Next
Previous By Thread Next

Current thread: