[Dnsmasq-discuss] log-queries logging MAC addresses
nowak2000 at poczta.onet.pl
Sat Jan 17 11:13:11 GMT 2009
Dnia 2009-01-14, śro o godzinie 13:44 +0100, Olaf Westrik pisze:
> Simon Kelley wrote:
> > Tomasz Nowak wrote:
> >> Now that I'm interested in monitoring DNS queries to detect malicious
> >> activity, I enable "log-queries" option in the dnsmasq.conf file.
> >> Unfortunately the IP addresses logged with the queries are not very
> >> usable to me - there is another DHCP server in the network.
> >> I would like to see a MAC address in the syslog, not to mention - the
> >> NetBIOS name, that I now periodically achieve with
> >> "nmblookup -A 192.168.1.$x" with x in 1..255 and correlate with syslog
> >> entries.
> >> Any ideas, how to work around this limitation now?
> > That information isn't really available to the DNS part of dnsmasq: the
> > MAC address to IP address mapping is hidden in the kernel level stuff.
> > the netbios stuff is even more unavailable.
> > One obvious suggestion would be to run "arp -a" periodically, That would
> > give you "snapshot" MAC addresses in the same way that you get netbios
> > names.
> Or use iptables, something like:
> iptables -A INPUT -i eth0 -p udp --destination-port 53 -j LOG
> --log-prefix "DNS-QUERY "
> would log all domain queries.
Thanks for your tips, both ideas are great and will render useful.
Tomasz Nowak <nowak2000 at poczta.onet.pl>
More information about the Dnsmasq-discuss