Passivedns processing mirrored traffic

Question

Passivedns processing mirrored traffic

kevdel opened this issue 9 years ago · 3 comments

Issue: dns requests contained within mirrored traffic sent to host running passivedns are not showing up with passivedns log

following setup

tomato router (192.168.1.1) with iptables rules for a particular host (192.168.1.1.124) on my network to mirror all traffic to a raspberry pi (192.168.1.128). rapsberry pi is running passivedns listening on eth0

TCPDUMP Output on raspberry pi from "wget bearsalive.com" run on my 192.168.1.124 host
02:22:04.608185 IP 192.168.1.124.46413 > 8.8.8.8.53: 55093+ A? bearalive.com. (31)

However there is no entry made to the /var/log/passivedns.log file

Answer 1 · 2015-11-27T07:30:19.000Z

Edit: wow, i should start reading before i answer stuff. Sorry for that.

When you exit passivedns, it prints some statistics, anything there? And, are you seeing both the query and the reply. As far as iknow this implementation of passive DNS needs both query and reply.

Answer 2 · 2015-11-27T07:35:03.000Z

kevdel: you can send me a pcap collected from the RPi of one dns query+ the answer. Ill take a look.

Answer 3 · 2015-11-27T16:04:17.000Z

Apologies to all. My outbound DNS traffic was getting pushed to the pi
running passive dns but the return traffic was not. Once I put a rule in to
mirror any target machine inbound traffic to the pi then the passivedns
daemon picked up the request and logged correctly.

my bad..

On Fri, Nov 27, 2015 at 1:35 AM, Edward Fjellskål notifications@github.com
wrote:

kevdel: you can send me a pcap collected from the RPi of one dns query+
the answer. Ill take a look.

—
Reply to this email directly or view it on GitHub
#63 (comment)
.