For the record: I am now running https://github.com/gamelinux/passivedns/ on the packetfence machine, and it generates a nice list of the dns requests.
Like this: > 1479212883.352535||10.19.231.152||192.x.y.z||IN||ytstatic.l.google.com.||A||172.217.17.78||27||1 > 1479212884.362651||10.19.230.173||192.x.y.z||IN||apps.itunes.com.||CNAME||apps.itunes.apple.com.edgekey.net.||1412||1 > 1479212884.362651||10.19.230.173||192.x.y.z||IN||apps.itunes.apple.com.edgekey.net.||CNAME||e905.d.akamaiedge.net.||12269||1 > 1479212884.362651||10.19.230.173||192.x.y.z||IN||e905.d.akamaiedge.net.||A||23.40.242.123||19||1 > 1479212884.743301||10.19.227.29||192.x.y.z||IN||a.tribalfusion.com.||A||204.11.109.66||35||1 > 1479212884.743301||10.19.227.29||192.x.y.z||IN||a.tribalfusion.com.||A||204.11.109.65||35||1 > 1479212884.743301||10.19.227.29||192.x.y.z||IN||a.tribalfusion.com.||A||204.11.109.68||35||1 > 1479212884.743301||10.19.227.29||192.x.y.z||IN||a.tribalfusion.com.||A||204.11.109.67||35||1 > 1479212884.752115||10.19.227.29||192.x.y.z||IN||dpm.demdex.net.||CNAME||gslb.demdex.net.||71||1 > 1479212884.752115||10.19.227.29||192.x.y.z||IN||gslb.demdex.net.||CNAME||irl1.demdex.net.||68||1 > 1479212884.752115||10.19.227.29||192.x.y.z||IN||irl1.demdex.net.||CNAME||dcs-edge-irl1-876252164.eu-west-1.elb.amazonaws.com.||68||1 > 1479212884.752115||10.19.227.29||192.x.y.z||IN||dcs-edge-irl1-876252164.eu-west-1.elb.amazonaws.com.||A||52.18.163.110||37||1 > 1479212884.752115||10.19.227.29||192.x.y.z||IN||dcs-edge-irl1-876252164.eu-west-1.elb.amazonaws.com.||A||52.211.21.195||37||1 > 1479212884.752115||10.19.227.29||192.x.y.z||IN||dcs-edge-irl1-876252164.eu-west-1.elb.amazonaws.com.||A||52.30.191.133||37||1 > 1479212884.752115||10.19.227.29||192.x.y.z||IN||dcs-edge-irl1-876252164.eu-west-1.elb.amazonaws.com.||A||52.211.54.244||37||1 > 1479212884.752115||10.19.227.29||192.x.y.z||IN||dcs-edge-irl1-876252164.eu-west-1.elb.amazonaws.com.||A||52.19.210.4||37||1 > 1479212884.752115||10.19.227.29||192.x.y.z||IN||dcs-edge-irl1-876252164.eu-west-1.elb.amazonaws.com.||A||52.49.214.49||37||1 > 1479212884.752115||10.19.227.29||192.x.y.z||IN||dcs-edge-irl1-876252164.eu-west-1.elb.amazonaws.com.||A||52.48.142.133||37||1 > 1479212884.752115||10.19.227.29||192.x.y.z||IN||dcs-edge-irl1-876252164.eu-west-1.elb.amazonaws.com.||A||52.208.104.205||37||1 > 1479212884.758947||10.19.227.29||192.x.y.z||IN||cdnx.tribalfusion.com.||CNAME||2-01-2864-0002.cdx.cedexis.net.||49||1 > 1479212884.758947||10.19.227.29||192.x.y.z||IN||2-01-2864-0002.cdx.cedexis.net.||CNAME||wildcard.tribalfusion.com.edgekey.net.||2526||1 > 1479212884.758947||10.19.227.29||192.x.y.z||IN||wildcard.tribalfusion.com.edgekey.net.||CNAME||e10524.g.akamaiedge.net.||16589||1 > 1479212884.758947||10.19.227.29||192.x.y.z||IN||e10524.g.akamaiedge.net.||A||23.40.243.161||20||1 > 1479212884.768005||10.19.227.29||192.x.y.z||IN||su.addthis.com.||CNAME||m.addthisedge.com.||186||1 > 1479212884.776275||10.19.227.29||192.x.y.z||IN||tapestry.tapad.com.||CNAME||tapestry-eu.tapad.com.||15||1 > 1479212884.776275||10.19.227.29||192.x.y.z||IN||tapestry-eu.tapad.com.||CNAME||vhosts-eu.tapad.com.||15||1 > 1479212884.776275||10.19.227.29||192.x.y.z||IN||vhosts-eu.tapad.com.||CNAME||vhosts-am1.tapad.com.||15||1 Whilst not packetfence funtionality, it does exactly what I need. :-) MJ On 15-11-2016 10:34, lists wrote: > Hi, > > We are running pf 5.6.1 for our wifi segment, using NAT. The dns server > on the NAT segment is set to our company dns server, which is also an > Intrustion Protection System, filtering out suspicious/malicous dns queries. > > Now, occasionally we're getting warnings from this IPS system about > infected clients on the wifi. Of course the source ip/mac address is > that of the packetfence (NAT gateway), and not the actual NATted wifi > client. > > Hence our question: is it possible to log the dns queries flowing > through packetfence, or use packetfence itself as dns server, in order > get a log of all dns queries per client, so be would be able to lookup > the ACTUAL client doing the malicious dns lookups? > > Best regards, > MJ > > ------------------------------------------------------------------------------ > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
