-
Notifications
You must be signed in to change notification settings - Fork 374
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Caching behaviour #78
Comments
I am also seeing the same thing I believe. When running passivedns on a BIND DNS Caching server, I see the client IP in the logs for each DNS request sourcing from the dnscaching server itself. i.e. tcpdump example of a workstation querying for amazon.com: key:10.x.x.x = client
output from /var/log/passivedns.log:please note that 10.10.x.x again is the caching server, not the client who made the request.
Running passivedns with the following flags: [root@myserv src]# passivedns -i eth1 -l /var/log/passivedns.log -u myuser -D -p /var/run/passivedns/passivedns.pid It appears passivedns must be snagging the first response from the dns resolver to the dns caching server and not parsing the second response from the caching server to the client. |
Yeah, so this is by design :) So, from the above, this is probably what happens (or should happen): client -> cache -> resolver then client <- cache <- resolver Passivedns sees the queries: The resolver answers the cache, and at that time, passivedns writes out the logline (query + answer was seen) from that session. When the cache answers the client, it just updates the cached in memory table, like the client IP, timestamp, count. So it will not print the client IP in the logs. You could start two instances of passivedns, and use bpf filters to just look at client <> cache, and cache <> resolver etc. Hope this helps. Edward |
I was able to BPF filter out all of my resolvers and only collect the client <> caching servers. Thanks! |
Not sure this is an issue or working as designed.
However, it seems that we miss many of the client IP queries/logs because we enabled cache. To reduce bandwidth used for logs we very much want to keep cache enabled though.
We see our DNS resolver's query for "bad domain" to the Internet but we don't see the IP generating it. In many cases at least. When disabling cache it shows up.
Is that working as designed, regarding cache?
Running with below:
/usr/sbin/passivedns -i eth0 -X 46CDNPRSxs -P 3600 -y -Y -D -p /var/run/passivedns.pid
/usr/sbin/passivedns -V
[] PassiveDNS 1.1.3
[] By Edward Bjarte Fjellskål edward.fjellskaal@gmail.com
[] Using libpcap version 1.4.0
[] Using ldns version 1.6.17
The text was updated successfully, but these errors were encountered: