[Dnsmasq-discuss] selecting log queries

Discussion:

John Pearson

2018-03-08 02:09:21 UTC

A shot in the dark:

Is there anyway to differentiate or only log domains that are directly
queried? Example:

when I go to github.com from the browser, this is the dnsmasq log file:

Mar 7 18:06:04 dnsmasq[29158]: query[A] github.com from 10.1.0.163
Mar 7 18:06:04 dnsmasq[29158]: forwarded github.com to 8.8.4.4
Mar 7 18:06:04 dnsmasq[29158]: forwarded github.com to 8.8.8.8
Mar 7 18:06:04 dnsmasq[29158]: forwarded github.com to 127.0.0.53
Mar 7 18:06:04 dnsmasq[29158]: query[A] github.com from 127.0.0.1
Mar 7 18:06:04 dnsmasq[29158]: forwarded github.com to 8.8.4.4
Mar 7 18:06:04 dnsmasq[29158]: reply github.com is 192.30.255.113
Mar 7 18:06:04 dnsmasq[29158]: reply github.com is 192.30.255.112
Mar 7 18:06:04 dnsmasq[29158]: reply github.com is 192.30.255.113
Mar 7 18:06:04 dnsmasq[29158]: reply github.com is 192.30.255.112
Mar 7 18:06:07 dnsmasq[29158]: query[A] collector.githubapp.com from
10.1.0.163
Mar 7 18:06:07 dnsmasq[29158]: forwarded collector.githubapp.com to 8.8.4.4
Mar 7 18:06:07 dnsmasq[29158]: reply collector.githubapp.com is <CNAME>
Mar 7 18:06:07 dnsmasq[29158]: reply
analytics-collector-28944298.us-east-1.elb.amazonaws.com is 52.206.98.11
Mar 7 18:06:07 dnsmasq[29158]: reply
analytics-collector-28944298.us-east-1.elb.amazonaws.com is 54.210.59.237
Mar 7 18:06:07 dnsmasq[29158]: reply
analytics-collector-28944298.us-east-1.elb.amazonaws.com is 34.228.249.31
Mar 7 18:06:07 dnsmasq[29158]: query[A] api.github.com from 10.1.0.163
Mar 7 18:06:07 dnsmasq[29158]: forwarded api.github.com to 8.8.4.4
Mar 7 18:06:07 dnsmasq[29158]: reply api.github.com is 192.30.255.116
Mar 7 18:06:07 dnsmasq[29158]: reply api.github.com is 192.30.255.117

Is there anyway to log or filter only github.com? Instead of queries for
github, collector.githubapp.com, api.github.com.

What I'm trying to do: grep log files for domains intentionally asked for.

Thanks.

Geert Stappers

2018-03-08 08:55:01 UTC

Permalink

Post by John Pearson
What I'm trying to do: grep log files for domains intentionally asked for.

Mar 7 18:06:04 dnsmasq[29158]: query[A] github.com from 10.1.0.163
Mar 7 18:06:04 dnsmasq[29158]: query[A] github.com from 127.0.0.1
Mar 7 18:06:07 dnsmasq[29158]: query[A] collector.githubapp.com from 10.1.0.163
Mar 7 18:06:07 dnsmasq[29158]: query[A] api.github.com from 10.1.0.163

Groeten
Geert Stappers

--
Leven en laten leven

John Pearson

2018-03-08 19:03:53 UTC

Permalink

Thanks Geert. I meant that in this case collector.githubapp.com &
api.github.com are also domains that I didn't directly request. They were
requested by the page when I went to github.com if that makes sense.

Post by John Pearson

Post by John Pearson
What I'm trying to do: grep log files for domains intentionally asked

for.
Mar 7 18:06:04 dnsmasq[29158]: query[A] github.com from 10.1.0.163
Mar 7 18:06:04 dnsmasq[29158]: query[A] github.com from 127.0.0.1
Mar 7 18:06:07 dnsmasq[29158]: query[A] collector.githubapp.com from 10.1.0.163
Mar 7 18:06:07 dnsmasq[29158]: query[A] api.github.com from 10.1.0.163
Groeten
Geert Stappers
--
Leven en laten leven
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Geert Stappers

2018-03-08 20:09:14 UTC

Permalink

Post by John Pearson

Post by John Pearson
What I'm trying to do: grep log files for domains intentionally asked for.

--
Leven en laten leven

John Pearson

2018-03-09 05:28:41 UTC

Permalink

Yeah all the requests came from the browser. I can't immediately think of
how parse out an implicit request versus the page itself querying more
domains.

Post by John Pearson

Post by John Pearson
What I'm trying to do: grep log files for domains intentionally asked for.

10.1.0.163

Post by John Pearson

Post by John Pearson
Mar 7 18:06:07 dnsmasq[29158]: query[A] api.github.com from

10.1.0.163

Post by John Pearson
Thanks Geert. I meant that in this case collector.githubapp.com &
api.github.com are also domains that I didn't directly request. They

were

Post by John Pearson
requested by the page when I went to github.com if that makes sense.

So all requests came from the same webbrowser.
Try to understand why the requests should be marked different.
Then try to understand why a name server should log them differently.
Groeten
Geert Stappers
--
Leven en laten leven
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Geert Stappers

2018-03-09 07:25:57 UTC

Permalink

Post by John Pearson

Post by Geert Stappers

... I meant that in this case collector.githubapp.com &
api.github.com are also domains that I didn't directly request.
They were requested by the page when I went to github.com if that
makes sense.

So all requests came from the same webbrowser.
Try to understand why the requests should be marked different.
Then try to understand why a name server should log them differently.

Yeah all the requests came from the browser. I can't immediately think of
how parse out an implicit request versus the page itself querying more
domains.

OK, continue your pursuit of "what is the webbrowser doing" with
a tool like mitmproxy https://mitmproxy.org/

Good luck with it. Make it possible that people can read in the discussion order,
place responses _below_ previous post.

Groeten
Geert Stappers

--
Leven en laten leven