The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,093 other followers

GitHub – gamelinux/passivedns: A network sniffer that logs all DNS server replies for use in a passive DNS setup

Posted by jpluimers on 2020/07/15

Cool tool: [WayBackGitHub – gamelinux/passivedns: A network sniffer that logs all DNS server replies for use in a passive DNS setup via [WayBack] How to log all my DNS queries? – Unix & Linux Stack Exchange (thanks mxmlnkn!).

It listens on port 53 for DNS requests then logs them to a file on regular intervals aggregating similar requests.

Usage is simple:

# passivedns -i ens32 -l /var/log/passivedns.log

[*] PassiveDNS 1.2.0
[*] By Edward Bjarte Fjellskål <edward.fjellskaal@gmail.com>
[*] Using libpcap version 1.8.1
[*] Using ldns version 1.7.0
[*] Device: ens32
[*] Sniffing...

There are more options in the docs (it can do a lot including export to databases for querying), but this simple one allows you to just grep over abusive hosts like [WayBack] Nice when someone in Dallas using 69.162.119.78 is querying your DNS infrastructure for many permutations of domains… · GitHub

Originating in 2013 ([WayBack] PassiveDNS version 1.0 | GameLinux), it still is being maintained.

It uses libpcap for sniffing and I ran it on separate machine hooked to a vSwitch configured in promiscuous mode so it sees all network traffic from that particular network segment.

There is a not fully up-to-date package available for various OpenSuSE releases (including Tumbleweed) [WayBack] Install package home:mnhauke:security / passivedns. It is x86_64 only, so if you want to run it on ARM, or want a more recent version then you need to build it yourself, for instance by using this as a template: [WayBack] Show home:mnhauke:security / passivedns – openSUSE Build Service.

Next tool on my list to try: [WayBack] dnstracer(8) – Linux man page.

–jeroen

view raw
readme.md
hosted with ❤ by GitHub

1523123964.601947||69.162.119.78||192.168.71.62||IN||wwW.pLUimeRS.COm.||CNAME||snip.xs4all.nl.||172800||1
1523123964.991984||69.162.119.78||192.168.71.62||IN||Www.plUimErS.cOm.||CNAME||snip.xs4all.nl.||172800||1
1523125152.014280||69.162.119.78||192.168.71.62||IN||4delPhI.COm.||A||80.100.143.119||172800||1
1523125420.141199||69.162.119.78||192.168.71.62||IN||WwW.pluimeRs.Com.||CNAME||snip.xs4all.nl.||172800||1
1523125421.477835||69.162.119.78||192.168.71.62||IN||Www.PlUiMerS.cOM.||CNAME||snip.xs4all.nl.||172800||1
1523126631.957135||69.162.119.78||192.168.71.62||IN||4DeLphI.COM.||A||80.100.143.119||172800||1
1523126876.869000||69.162.119.78||192.168.71.62||IN||wWW.pLuIMERS.CoM.||CNAME||snip.xs4all.nl.||172800||1
1523128111.656949||69.162.119.78||192.168.71.62||IN||4dELphi.COm.||A||80.100.143.119||172800||1
1523128334.058680||69.162.119.78||192.168.71.62||IN||WwW.PLuimers.CoM.||CNAME||snip.xs4all.nl.||172800||1
1523129591.250439||69.162.119.78||192.168.71.62||IN||4DeLPHI.cOM.||A||80.100.143.119||172800||1
1523129790.959851||69.162.119.78||192.168.71.62||IN||WWw.pLUiMErS.cOM.||CNAME||snip.xs4all.nl.||172800||1
1523131070.881666||69.162.119.78||192.168.71.62||IN||4deLPHi.coM.||A||80.100.143.119||172800||1
1523131248.059509||69.162.119.78||192.168.71.62||IN||wwW.PlUImeRs.Com.||CNAME||snip.xs4all.nl.||172800||1
1523132550.272974||69.162.119.78||192.168.71.62||IN||4DELPHi.CoM.||A||80.100.143.119||172800||1
1523132704.679080||69.162.119.78||192.168.71.62||IN||wwW.pLuiMeRs.cOm.||CNAME||snip.xs4all.nl.||172800||1
1523134029.889133||69.162.119.78||192.168.71.62||IN||4delPHi.Com.||A||80.100.143.119||172800||1
1523134030.099053||69.162.119.78||192.168.71.62||IN||4DELpHI.coM.||A||80.100.143.119||172800||1
1523134161.894973||69.162.119.78||192.168.71.62||IN||wwW.PLUIMERs.COm.||CNAME||snip.xs4all.nl.||172800||1
1523135509.387214||69.162.119.78||192.168.71.62||IN||4DELPhI.coM.||A||80.100.143.119||172800||1
1523135509.547117||69.162.119.78||192.168.71.62||IN||4deLPhi.cOm.||A||80.100.143.119||172800||1
1523135618.668544||69.162.119.78||192.168.71.62||IN||wWw.PLUimERS.Com.||CNAME||snip.xs4all.nl.||172800||1
1523136989.153585||69.162.119.78||192.168.71.62||IN||4delPhi.cOm.||A||80.100.143.119||172800||1
1523137075.619229||69.162.119.78||192.168.71.62||IN||Www.PLuIMERs.coM.||CNAME||snip.xs4all.nl.||172800||1
1523138468.860149||69.162.119.78||192.168.71.62||IN||4dElpHI.CoM.||A||80.100.143.119||172800||1
1523138532.942633||69.162.119.78||192.168.71.62||IN||wWW.PLUImeRs.COM.||CNAME||snip.xs4all.nl.||172800||1
1523139948.204566||69.162.119.78||192.168.71.62||IN||4DElPHi.com.||A||80.100.143.119||172800||1
1523139990.320160||69.162.119.78||192.168.71.62||IN||WWw.plUImeRS.COm.||CNAME||snip.xs4all.nl.||172800||1
1523141427.947852||69.162.119.78||192.168.71.62||IN||4DeLPHi.coM.||A||80.100.143.119||172800||1
1523141447.052421||69.162.119.78||192.168.71.62||IN||www.PLUIMerS.cOM.||CNAME||snip.xs4all.nl.||172800||1
1523141448.555492||69.162.119.78||192.168.71.62||IN||WWW.PlUiMerS.COM.||CNAME||snip.xs4all.nl.||172800||1
1523142905.462508||69.162.119.78||192.168.71.62||IN||WWW.PLUImERs.Com.||CNAME||snip.xs4all.nl.||172800||1
1523142907.645584||69.162.119.78||192.168.71.62||IN||4dElPHI.coM.||A||80.100.143.119||172800||1
1523144361.708169||69.162.119.78||192.168.71.62||IN||Www.PlUimerS.coM.||CNAME||snip.xs4all.nl.||172800||1
1523144387.148517||69.162.119.78||192.168.71.62||IN||4deLphI.COm.||A||80.100.143.119||172800||1
1523144387.324860||69.162.119.78||192.168.71.62||IN||4dELPhi.coM.||A||80.100.143.119||172800||1
1523145818.645702||69.162.119.78||192.168.71.62||IN||WWW.PlUiMERS.coM.||CNAME||snip.xs4all.nl.||172800||1
1523145866.300466||69.162.119.78||192.168.71.62||IN||4DElphi.CoM.||A||80.100.143.119||172800||1
1523145866.462396||69.162.119.78||192.168.71.62||IN||4DelPhI.COM.||A||80.100.143.119||172800||1
1523147275.451444||69.162.119.78||192.168.71.62||IN||WwW.pluiMerS.COM.||CNAME||snip.xs4all.nl.||172800||1
1523147345.760283||69.162.119.78||192.168.71.62||IN||4dElpHi.cOm.||A||80.100.143.119||172800||1
1523148732.282990||69.162.119.78||192.168.71.62||IN||Www.PluImERS.CoM.||CNAME||snip.xs4all.nl.||172800||1
1523148824.751668||69.162.119.78||192.168.71.62||IN||4dELpHI.cOM.||A||80.100.143.119||172800||1
1523150189.046197||69.162.119.78||192.168.71.62||IN||wwW.pLuImers.COm.||CNAME||snip.xs4all.nl.||172800||1
1523150304.029644||69.162.119.78||192.168.71.62||IN||4DELpHI.cOM.||A||80.100.143.119||172800||1
1523151645.864864||69.162.119.78||192.168.71.62||IN||wWW.pLUIMeRS.CoM.||CNAME||snip.xs4all.nl.||172800||1
1523151783.426855||69.162.119.78||192.168.71.62||IN||4DElphI.COM.||A||80.100.143.119||172800||1
1523153102.996203||69.162.119.78||192.168.71.62||IN||WwW.plUimErS.COm.||CNAME||snip.xs4all.nl.||172800||1
1523153262.528917||69.162.119.78||192.168.71.62||IN||4dElPhi.COM.||A||80.100.143.119||172800||1
1523154559.933282||69.162.119.78||192.168.71.62||IN||wwW.PLUImers.coM.||CNAME||snip.xs4all.nl.||172800||1
1523154742.055939||69.162.119.78||192.168.71.62||IN||4DeLPhi.cOm.||A||80.100.143.119||172800||1
1523156016.689016||69.162.119.78||192.168.71.62||IN||wwW.PlUiMERS.com.||CNAME||snip.xs4all.nl.||172800||1
1523156221.787521||69.162.119.78||192.168.71.62||IN||4DELpHI.cOm.||A||80.100.143.119||172800||1
1523157473.336282||69.162.119.78||192.168.71.62||IN||wWw.PluimErS.COm.||CNAME||snip.xs4all.nl.||172800||1
1523157701.025456||69.162.119.78||192.168.71.62||IN||4DElPHI.COm.||A||80.100.143.119||172800||1
1523157701.345349||69.162.119.78||192.168.71.62||IN||4DelPHI.coM.||A||80.100.143.119||172800||1
1523158930.172614||69.162.119.78||192.168.71.62||IN||wwW.plUimErs.COM.||CNAME||snip.xs4all.nl.||172800||1
1523159180.375104||69.162.119.78||192.168.71.62||IN||4DeLphi.coM.||A||80.100.143.119||172800||1
1523160387.086222||69.162.119.78||192.168.71.62||IN||www.pLuimeRs.com.||CNAME||snip.xs4all.nl.||172800||1
1523160659.757675||69.162.119.78||192.168.71.62||IN||4deLPHi.CoM.||A||80.100.143.119||172800||1
1523161844.016165||69.162.119.78||192.168.71.62||IN||WWW.pluiMErS.coM.||CNAME||snip.xs4all.nl.||172800||1
1523162139.149656||69.162.119.78||192.168.71.62||IN||4DeLPhi.COM.||A||80.100.143.119||172800||1
1523163300.895150||69.162.119.78||192.168.71.62||IN||Www.PluimERs.cOm.||CNAME||snip.xs4all.nl.||172800||1
1523163618.763813||69.162.119.78||192.168.71.62||IN||4DElphi.coM.||A||80.100.143.119||172800||1
1523164757.901193||69.162.119.78||192.168.71.62||IN||wwW.plUiMerS.COm.||CNAME||snip.xs4all.nl.||172800||1
1523165097.835234||69.162.119.78||192.168.71.62||IN||4DeLPHI.Com.||A||80.100.143.119||172800||1
1523165098.148604||69.162.119.78||192.168.71.62||IN||4DelPhi.COM.||A||80.100.143.119||172800||1
1523166214.955733||69.162.119.78||192.168.71.62||IN||WWW.pluimers.COm.||CNAME||snip.xs4all.nl.||172800||1
1523166577.205424||69.162.119.78||192.168.71.62||IN||4dELPhi.COm.||A||80.100.143.119||172800||1
1523167671.849879||69.162.119.78||192.168.71.62||IN||wWW.pluiMErs.Com.||CNAME||snip.xs4all.nl.||172800||1
1523167673.260450||69.162.119.78||192.168.71.62||IN||Www.pLuIMErS.cOM.||CNAME||snip.xs4all.nl.||172800||1
1523169128.953737||69.162.119.78||192.168.71.62||IN||www.PlUiMERS.coM.||CNAME||snip.xs4all.nl.||172800||1
1523169130.283117||69.162.119.78||192.168.71.62||IN||WwW.pluImers.com.||CNAME||snip.xs4all.nl.||172800||1
1523169536.252188||69.162.119.78||192.168.71.62||IN||4deLpHi.com.||A||80.100.143.119||172800||1
1523170585.979222||69.162.119.78||192.168.71.62||IN||Www.PluImeRs.com.||CNAME||snip.xs4all.nl.||172800||1
1523171015.188109||69.162.119.78||192.168.71.62||IN||4DeLphI.coM.||A||80.100.143.119||172800||1
1523172042.966536||69.162.119.78||192.168.71.62||IN||www.plUIMERs.coM.||CNAME||snip.xs4all.nl.||172800||1
1523172495.119200||69.162.119.78||192.168.71.62||IN||4DELpHI.Com.||A||80.100.143.119||172800||1
1523173500.080520||69.162.119.78||192.168.71.62||IN||wWW.pluimERs.COM.||CNAME||snip.xs4all.nl.||172800||1
1523173974.738645||69.162.119.78||192.168.71.62||IN||4DELPHI.COm.||A||80.100.143.119||172800||1
1523174957.300847||69.162.119.78||192.168.71.62||IN||wWW.pLUimErS.cOM.||CNAME||snip.xs4all.nl.||172800||1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: