Discussion:
[Dnsmasq-discuss] [PATCH] log requests that aren't configured to be forwarded
Justin Grudzien
2017-07-17 18:44:42 UTC
Permalink
We are running DNSMasq to whitelist domains within AWS. We wanted all
domains not in the whitelist to produce a log line to be forwarded to our
SIEM. Our goal is to detect people attempting DNS attacks against us. Here
is a patch that produces a simple log line if a forwarding is not
attempted.

I would love this to be added to the main codebase. It is a simple change
and will allow others to track non-whitelisted domains.

Justin
Justin Grudzien
2017-07-19 20:32:37 UTC
Permalink
I made a small update to the patch where it adds the IP address in the log
message. This will identify the server making the request for the domain
that is not configured to forward.

Justin
Post by Justin Grudzien
We are running DNSMasq to whitelist domains within AWS. We wanted all
domains not in the whitelist to produce a log line to be forwarded to our
SIEM. Our goal is to detect people attempting DNS attacks against us. Here
is a patch that produces a simple log line if a forwarding is not
attempted.
I would love this to be added to the main codebase. It is a simple change
and will allow others to track non-whitelisted domains.
Justin
Justin Grudzien
2017-07-19 20:57:57 UTC
Permalink
I made a small mistake in the patch. Here is the fix!

Justin
Post by Justin Grudzien
I made a small update to the patch where it adds the IP address in the log
message. This will identify the server making the request for the domain
that is not configured to forward.
Justin
Post by Justin Grudzien
We are running DNSMasq to whitelist domains within AWS. We wanted all
domains not in the whitelist to produce a log line to be forwarded to our
SIEM. Our goal is to detect people attempting DNS attacks against us. Here
is a patch that produces a simple log line if a forwarding is not
attempted.
I would love this to be added to the main codebase. It is a simple change
and will allow others to track non-whitelisted domains.
Justin
Justin Grudzien
2017-09-25 19:35:52 UTC
Permalink
Simon,

I see that you are back and wanted to bring this up again. We are using
DNSMasq within AWS to perform DNS whitelisting and I noticed that there is
no log line produced when a domain is NOT configured to be forwarded. I
think this patch should take care of it and would love to have it
considered.

Justin
Post by Justin Grudzien
I made a small mistake in the patch. Here is the fix!
Justin
Post by Justin Grudzien
I made a small update to the patch where it adds the IP address in the
log message. This will identify the server making the request for the
domain that is not configured to forward.
Justin
Post by Justin Grudzien
We are running DNSMasq to whitelist domains within AWS. We wanted all
domains not in the whitelist to produce a log line to be forwarded to our
SIEM. Our goal is to detect people attempting DNS attacks against us. Here
is a patch that produces a simple log line if a forwarding is not
attempted.
I would love this to be added to the main codebase. It is a simple
change and will allow others to track non-whitelisted domains.
Justin
Loading...