[Dnsmasq-discuss] log-queries logging MAC addresses
Olaf Westrik
weizen_42 at ipcop-forum.de
Wed Jan 14 12:44:29 GMT 2009
Simon Kelley wrote:
> Tomasz Nowak wrote:
>> Now that I'm interested in monitoring DNS queries to detect malicious
>> activity, I enable "log-queries" option in the dnsmasq.conf file.
>> Unfortunately the IP addresses logged with the queries are not very
>> usable to me - there is another DHCP server in the network.
>>
>> I would like to see a MAC address in the syslog, not to mention - the
>> NetBIOS name, that I now periodically achieve with
>> "nmblookup -A 192.168.1.$x" with x in 1..255 and correlate with syslog
>> entries.
>>
>> Any ideas, how to work around this limitation now?
>
> That information isn't really available to the DNS part of dnsmasq: the
> MAC address to IP address mapping is hidden in the kernel level stuff.
> the netbios stuff is even more unavailable.
>
> One obvious suggestion would be to run "arp -a" periodically, That would
> give you "snapshot" MAC addresses in the same way that you get netbios
> names.
Or use iptables, something like:
iptables -A INPUT -i eth0 -p udp --destination-port 53 -j LOG
--log-prefix "DNS-QUERY "
would log all domain queries.
Olaf
--
A weizen a day helps keep the doctor away.
More information about the Dnsmasq-discuss
mailing list