BIND and Windows DNS logging and archiving

Wed Apr 11 21:37:36 UTC 2018

Hi All,

Sometime ago I posted about capturing DNS activity (queries and responses)
for both BIND and Windows DNS, and my colleague had a tool which he ported
to Windows for me.  This tool is called dns-logger.

His company NoSpaceships, has just released the dns-logger product,
available free for anyone to use.

It currently supports JSON and ISC BIND formatted Syslog based messages
(and also includes responses).  They have indicated they look to support
dnstap as an output format too (useful if you are not running BIND).

This may be a little off-topic, but I thought I would post anyway since I
am finding it quite useful.

Hopefully someone will find this useful.

Mick

On Tue, Aug 15, 2017 at 5:29 PM, Mick Lee <lmick5455 at gmail.com> wrote:

> Forgot to CC the list.
>
> ---------- Forwarded message ----------
> From: Mick Lee <lmick5455 at gmail.com>
> Date: Sat, Aug 12, 2017 at 6:55 PM
> Subject: Re: BIND and Windows DNS logging and archiving
> To: Phil Mayers <p.mayers at imperial.ac.uk>
>
>
> Thanks,
>
> I checked and it doesn't look like dnscap would work with little change :(
>  Anyway, my colleague has now implemented a similar tool called
> dns-activity-logger.
>
> I mention it here since it does DNS response logging, specifically for IP
> addresses.  You get output similar to BIND query logging for responses too:
>
> # Response logging is like query logging, but you get rcode, ans-count,
> auth-count, add-count and a space separated list of IP's from the answer
> section if any
> Aug 12 17:47:25 dns01 dns-activity-logger[6476]: client
> 192.168.1.13#61835: query: www.apple.com IN A + (192.168.1.200)
> Aug 12 17:47:25 dns01 dns-activity-logger[6476]: client
> 192.168.1.200#61285: query: www.apple.com IN A + (192.168.1.1)
> Aug 12 17:47:25 dns01 dns-activity-logger[6476]: client
> 192.168.1.200#61285: response: www.apple.com IN A + (192.168.1.1) NOERROR
> 4 0 1: 23.198.68.189
> Aug 12 17:47:25 dns01 dns-activity-logger[6476]: client
> 192.168.1.13#61835: response: www.apple.com IN A + (192.168.1.200)
> NOERROR 4 0 0: 23.198.68.189
>
> It streams Syslog messages out in real-time over TCP, supports
> auto-failover in case one Syslog server goes down, and buffers in memory so
> doesn't require any disk I/O.
>
> My initial use case was Windows, but after seeing the response logging I
> think I will disable BIND query logging and just use this.
>
> He's willing to make it available to the general public if there is any
> interest.
>
> Cheers
>
> Mick
>
> On Sun, Jul 23, 2017 at 5:15 PM, Phil Mayers <p.mayers at imperial.ac.uk>
> wrote:
>
>> On 23/07/2017 15:16, Mick Lee wrote:
>>
>> I have a colleague who has said he has a parts of a PCAP to BIND query
>>> log agent that runs on UNIX platforms, and he is happy to port that to
>>> Windows for me - he's actually working on it now (for a few beers :) ).
>>>
>>
>> dnscap basically does the same thing. No idea how easy it would be to run
>> under Windows.
>>
>> Absent changes to the resolving setup, I think that a capture/tap is
>> probably your only realistic option.
>>
>> Depending on your architecture (physical, virtual, topology) the tap
>> could live on another box, if all you need is to know that server A made a
>> query for badzone B.
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180411/b0050873/attachment-0001.html>