This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Log DNS Queries

I am getting lots of these this IPS rule alerts:
[HTML]Message........: INDICATOR-COMPROMISE Suspicious .pw dns query
Details........: www.snort.org/.../28039
Time...........: 2014-03-31 09:24:21
Packet dropped.: yes
Priority.......: high
Classification.: A Network Trojan was detected IP protocol....: 17 (UDP)
Source IP address: 10.10.10.100
- www.dnsstuff.com/.../ptr.ch
- www.ripe.net/.../whois
- ws.arin.net/.../whois.pl
- cgi.apnic.net/.../whois.pl
Source port: 53358
Destination IP address: 10.10.10.1 (utm)
- www.dnsstuff.com/.../ptr.ch
- www.ripe.net/.../whois
- ws.arin.net/.../whois.pl
- cgi.apnic.net/.../whois.pl
Destination port: 53 (domain)

[/HTML]

We are running the UTM as a DNS proxy for all internal networks with OPENDNS servers as the forwarders.

I want to see what domains the internal clients are querying but it appears that the DNSproxy log is not logging this data.

What is the best way to capture the DNS FQDN queries of the internal network clients?

This thread was automatically locked due to age.

0 BarryG over 11 years ago

Hi, tcpdump (on the console or SSH term) would be one option... try
sudo tcpdump -vvv -s 0 -l -n port 53

(command copied from Monitoring DNS Queries with tcpdump – Control+R )

IIRC, there might be an option to log ALL dns queries.

Barry
Cancel
Vote Up 0 Vote Down

Cancel