[Dnsmasq-discuss] log-queries logging MAC addresses

Simon Kelley simon at thekelleys.org.uk
Wed Jan 14 11:49:18 GMT 2009


Tomasz Nowak wrote:
> So I have a network of Windows machines that use NetBIOS for name
> resolution. There is also an ADSL modem/router in the network that
> assigns IP addresses with DHCP.
> 
> I configured a Linux box with dnsmasq that transparently logs and caches
> DNS queries, configured the router with the Primary DNS pointing at that
> Linux. When the machine goes down, which happens - it's a very old
> one ;-), the external Secondary DNS is used.
> 
> That works well.
> 
> Now that I'm interested in monitoring DNS queries to detect malicious
> activity, I enable "log-queries" option in the dnsmasq.conf file.
> Unfortunately the IP addresses logged with the queries are not very
> usable to me - there is another DHCP server in the network.
> 
> I would like to see a MAC address in the syslog, not to mention - the
> NetBIOS name, that I now periodically achieve with
> "nmblookup -A 192.168.1.$x" with x in 1..255 and correlate with syslog
> entries.
> 
> Any ideas, how to work around this limitation now?

That information isn't really available to the DNS part of dnsmasq: the 
MAC address to IP address mapping is hidden in the kernel level stuff. 
the netbios stuff is even more unavailable.

One obvious suggestion would be to run "arp -a" periodically, That would 
give you "snapshot" MAC addresses in the same way that you get netbios 
names.

Cheers,

Simon.
> 
> Regards
> Tomasz
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 




More information about the Dnsmasq-discuss mailing list