Quantcast
Viewing latest article 33
Browse Latest Browse All 217

GitHub – gamelinux/passivedns: A network sniffer that logs all DNS server replies for use in a passive DNS setup

Cool tool: [WayBackGitHub – gamelinux/passivedns: A network sniffer that logs all DNS server replies for use in a passive DNS setup via [WayBack] How to log all my DNS queries? – Unix & Linux Stack Exchange (thanks mxmlnkn!).

It listens on port 53 for DNS requests then logs them to a file on regular intervals aggregating similar requests.

Usage is simple:

# passivedns -i ens32 -l /var/log/passivedns.log

[*] PassiveDNS 1.2.0
[*] By Edward Bjarte Fjellskål <edward.fjellskaal@gmail.com>
[*] Using libpcap version 1.8.1
[*] Using ldns version 1.7.0
[*] Device: ens32
[*] Sniffing...

There are more options in the docs (it can do a lot including export to databases for querying), but this simple one allows you to just grep over abusive hosts like [WayBack] Nice when someone in Dallas using 69.162.119.78 is querying your DNS infrastructure for many permutations of domains… · GitHub

Originating in 2013 ([WayBack] PassiveDNS version 1.0 | GameLinux), it still is being maintained.

It uses libpcap for sniffing and I ran it on separate machine hooked to a vSwitch configured in promiscuous mode so it sees all network traffic from that particular network segment.

There is a not fully up-to-date package available for various OpenSuSE releases (including Tumbleweed) [WayBack] Install package home:mnhauke:security / passivedns. It is x86_64 only, so if you want to run it on ARM, or want a more recent version then you need to build it yourself, for instance by using this as a template: [WayBack] Show home:mnhauke:security / passivedns – openSUSE Build Service.

Next tool on my list to try: [WayBack] dnstracer(8) – Linux man page.

–jeroen


Viewing latest article 33
Browse Latest Browse All 217

Trending Articles