[Dnsmasq-discuss] log-queries logging MAC addresses

Olaf Westrik weizen_42 at ipcop-forum.de
Wed Jan 14 12:44:29 GMT 2009


Simon Kelley wrote:
> Tomasz Nowak wrote:
>> Now that I'm interested in monitoring DNS queries to detect malicious
>> activity, I enable "log-queries" option in the dnsmasq.conf file.
>> Unfortunately the IP addresses logged with the queries are not very
>> usable to me - there is another DHCP server in the network.
>>
>> I would like to see a MAC address in the syslog, not to mention - the
>> NetBIOS name, that I now periodically achieve with
>> "nmblookup -A 192.168.1.$x" with x in 1..255 and correlate with syslog
>> entries.
>>
>> Any ideas, how to work around this limitation now?
> 
> That information isn't really available to the DNS part of dnsmasq: the 
> MAC address to IP address mapping is hidden in the kernel level stuff. 
> the netbios stuff is even more unavailable.
> 
> One obvious suggestion would be to run "arp -a" periodically, That would 
> give you "snapshot" MAC addresses in the same way that you get netbios 
> names.

Or use iptables, something like:

iptables -A INPUT -i eth0 -p udp --destination-port 53 -j LOG 
--log-prefix "DNS-QUERY "

would log all domain queries.


Olaf

-- 

A weizen a day helps keep the doctor away.



More information about the Dnsmasq-discuss mailing list