[Dnsmasq-discuss] log-queries logging MAC addresses
Simon Kelley
simon at thekelleys.org.uk
Wed Jan 14 11:49:18 GMT 2009
Tomasz Nowak wrote:
> So I have a network of Windows machines that use NetBIOS for name
> resolution. There is also an ADSL modem/router in the network that
> assigns IP addresses with DHCP.
>
> I configured a Linux box with dnsmasq that transparently logs and caches
> DNS queries, configured the router with the Primary DNS pointing at that
> Linux. When the machine goes down, which happens - it's a very old
> one ;-), the external Secondary DNS is used.
>
> That works well.
>
> Now that I'm interested in monitoring DNS queries to detect malicious
> activity, I enable "log-queries" option in the dnsmasq.conf file.
> Unfortunately the IP addresses logged with the queries are not very
> usable to me - there is another DHCP server in the network.
>
> I would like to see a MAC address in the syslog, not to mention - the
> NetBIOS name, that I now periodically achieve with
> "nmblookup -A 192.168.1.$x" with x in 1..255 and correlate with syslog
> entries.
>
> Any ideas, how to work around this limitation now?
That information isn't really available to the DNS part of dnsmasq: the
MAC address to IP address mapping is hidden in the kernel level stuff.
the netbios stuff is even more unavailable.
One obvious suggestion would be to run "arp -a" periodically, That would
give you "snapshot" MAC addresses in the same way that you get netbios
names.
Cheers,
Simon.
>
> Regards
> Tomasz
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list