Logging DNS queries

If you ever need to look at the DNS queries sent to your server, there are two ways: Logging or looking at DNS traffic on port 53.

Logging queries in Bind

Logging is definitely more reliable and can be turned on (if you’re using bind) using rndc

To check if logging is enabled:

# rndc status |grep query
query logging is OFF

To turn logging on:

# rndc querylog on
# rndc status |grep query
query logging is ON

Once logging is enabled, the requests are by default logged to /var/log/messages:

# cat /var/log/messages |grep named |grep query
Jul 15 13:44:36 nas named[1858]: client 10.1.1.3#64896: query: steamr.com IN A + (10.1.1.9)
Jul 15 13:44:36 nas named[1858]: client 10.1.1.3#64897: query: steamr.com IN AAAA + (10.1.1.9)

DNS Traffic

To look at the actual DNS traffic (either directly to your server or sniffing on a network), use tcpdump. Here is an example of me looking up ‘steamr.com’ while tcpdump was running.

# tcpdump -n -s 1500 -i eth1 port 53
13:44:43.398635 IP 10.1.1.3.64903 > 10.1.1.9.domain: 6+ A? steamr.com. (28)
13:44:43.399434 IP 10.1.1.9.domain > 10.1.1.3.64903: 6 1/13/13 A 209.217.226.237 (463)
13:44:43.400415 IP 10.1.1.3.64904 > 10.1.1.9.domain: 7+ AAAA? steamr.com. (28)
13:44:43.401365 IP 10.1.1.9.20821 > 64.59.135.135.domain: 4278+ [1au] AAAA? steamr.com. (39)
13:44:43.412659 IP 64.59.135.135.domain > 10.1.1.9.20821: 4278 0/1/0 (74)
13:44:43.413243 IP 10.1.1.9.domain > 10.1.1.3.64904: 7 0/1/0 (74)

You can see the queries which are denoted with a question mark (?), and the responses to the queries.

Leave a Reply

Your email address will not be published.