It is a client/server passive DNS logger. The monitoring agent
sniffs DNS packets of the network, processes them and forwards them to
the server, which writes the DNS data to syslog.
Why use it?
I built the tool to solve a common problem.
Every time I asked the DNS infrastrcture administrators to enable
logging for a security related issue, they refused because logging
would crush the service or significantly impact DNS performance.
I needed the data and could not make them turn on logging so I
built this tool to run on small embeded UNIX computers that I placed
next to each DNS server. I mirrored the network ports and logged
all DNS traffic without any impact to the DNS service itself.
The
data proved immensly valuable. Time and time again, I was able to
pull DNS logs and answer swcurity questions. There are many uses
for the logs, a few of which include time specific IP and hostname
mappings, which DNS servers are responding for which domains, strange
DNS requests, andswers and errors and general patterns for valid and
invalid DNS traffic.
What is in the works?
If there is interest in this tool, I will clean up the code and
documentation and post the source. The tool is stable and works
well as is. I plan to add some anomaly detection code int he
sniffer instead of post processing the log files.