The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

    • RT @WietsedeBoer2: Als (grond)water zo schaars is, waarom krijgt dit bedrijf dan een vergunning voor oppompen van 500.000 m3 water? Ergens… 3 hours ago
    • RT @bitsoffreedom: Stel vragen! En belangrijker, dit is gewoon iets voor het kabinet om netjes te regelen, dat is beter voor de ondernemers… 3 hours ago
    • RT @Crash2411: This tweet was postmarked last month 3 hours ago
    • RT @Afelia: Mailadresse. Die politische Debatte über digitale Bildung hängt solide 15 Jahre hinterher. 3 hours ago
    • RT @TerliWetter: “Nahezu sein gesamter Maisbestand hat sich in Popcorn verwandelt. Schuld ist wohl die aktuelle Hitzewelle, die deutschland… 3 hours ago
  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,052 other followers

GitHub – gamelinux/passivedns: A network sniffer that logs all DNS server replies for use in a passive DNS setup

Posted by jpluimers on 2020/07/15

Cool tool: [WayBackGitHub – gamelinux/passivedns: A network sniffer that logs all DNS server replies for use in a passive DNS setup via [WayBack] How to log all my DNS queries? – Unix & Linux Stack Exchange (thanks mxmlnkn!).

It listens on port 53 for DNS requests then logs them to a file on regular intervals aggregating similar requests.

Usage is simple:

# passivedns -i ens32 -l /var/log/passivedns.log

[*] PassiveDNS 1.2.0
[*] By Edward Bjarte Fjellskål <edward.fjellskaal@gmail.com>
[*] Using libpcap version 1.8.1
[*] Using ldns version 1.7.0
[*] Device: ens32
[*] Sniffing...

There are more options in the docs (it can do a lot including export to databases for querying), but this simple one allows you to just grep over abusive hosts like [WayBack] Nice when someone in Dallas using 69.162.119.78 is querying your DNS infrastructure for many permutations of domains… · GitHub

Originating in 2013 ([WayBack] PassiveDNS version 1.0 | GameLinux), it still is being maintained.

It uses libpcap for sniffing and I ran it on separate machine hooked to a vSwitch configured in promiscuous mode so it sees all network traffic from that particular network segment.

There is a not fully up-to-date package available for various OpenSuSE releases (including Tumbleweed) [WayBack] Install package home:mnhauke:security / passivedns. It is x86_64 only, so if you want to run it on ARM, or want a more recent version then you need to build it yourself, for instance by using this as a template: [WayBack] Show home:mnhauke:security / passivedns – openSUSE Build Service.

Next tool on my list to try: [WayBack] dnstracer(8) – Linux man page.

–jeroen

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: