Cool tool: [WayBack] GitHub – gamelinux/passivedns: A network sniffer that logs all DNS server replies for use in a passive DNS setup via [WayBack] How to log all my DNS queries? – Unix & Linux Stack Exchange (thanks mxmlnkn!).
It listens on port 53 for DNS requests then logs them to a file on regular intervals aggregating similar requests.
Usage is simple:
# passivedns -i ens32 -l /var/log/passivedns.log [*] PassiveDNS 1.2.0 [*] By Edward Bjarte Fjellskål <edward.fjellskaal@gmail.com> [*] Using libpcap version 1.8.1 [*] Using ldns version 1.7.0 [*] Device: ens32 [*] Sniffing...
There are more options in the docs (it can do a lot including export to databases for querying), but this simple one allows you to just grep over abusive hosts like [WayBack] Nice when someone in Dallas using 69.162.119.78 is querying your DNS infrastructure for many permutations of domains… · GitHub
Originating in 2013 ([WayBack] PassiveDNS version 1.0 | GameLinux), it still is being maintained.
It uses libpcap for sniffing and I ran it on separate machine hooked to a vSwitch configured in promiscuous mode so it sees all network traffic from that particular network segment.
There is a not fully up-to-date package available for various OpenSuSE releases (including Tumbleweed) [WayBack] Install package home:mnhauke:security / passivedns. It is x86_64 only, so if you want to run it on ARM, or want a more recent version then you need to build it yourself, for instance by using this as a template: [WayBack] Show home:mnhauke:security / passivedns – openSUSE Build Service.
Next tool on my list to try: [WayBack] dnstracer(8) – Linux man page.
–jeroen