Install passive DNS on Debian

 Uncategorized  Add comments
Feb 042014
 

I won’t descripe what pDNS is, just the nitty gritty setup. I have chosen PassiveDNS from Edward Bjarte FjellskÃ¥l as my pDNS software of choice and here is how you set it up:

as root do:

apt-get install git-core binutils-dev libldns1 libldns-dev libpcap-dev 
git clone git://github.com/gamelinux/passivedns.git
cd passivedns/src/
make

optional: make install

If you want to start it up manually, you can write (using 16 MB mem, increase to your needs):
./passivedns -i eth0 -S 16 -l /var/log/passivedns.log -L /var/log/passivedns-nx.log -P 86400 -X 46CDNOPRSTMnx -D
(Note: “-D” lets it run as daemon)

You will see /var/log/passivedns.log quickly populate now, that’s it! :-) The raw logs will look something like this:

1391544435.431674||127.0.0.1||8.8.8.8||IN||wordpress.org.||A||66.155.40.249||168||1
1391544435.431674||127.0.0.1||8.8.8.8||IN||wordpress.org.||A||66.155.40.250||168||1
1391544444.563846||127.0.0.1||8.8.8.8||IN||akismet.com.||A||66.135.58.59||187||1
1391544444.563846||127.0.0.1||8.8.8.8||IN||akismet.com.||A||66.135.58.60||187||1
1391544444.564107||127.0.0.1||8.8.8.8||IN||codex.wordpress.org.||A||66.155.40.241||3672||1
1391544444.584109||127.0.0.1||8.8.8.8||IN||planet.wordpress.org.||CNAME||wordpress.org.||10561||1
1391544639.743394||127.0.0.1||8.8.8.8||IN||plus.google.com.||A||173.194.113.69||200||1
1391544639.743394||127.0.0.1||8.8.8.8||IN||plus.google.com.||A||173.194.113.66||200||1
1391544639.743394||127.0.0.1||8.8.8.8||IN||plus.google.com.||A||173.194.113.73||200||1
1391544639.743394||127.0.0.1||8.8.8.8||IN||plus.google.com.||A||173.194.113.64||200||1
1391544639.743394||127.0.0.1||8.8.8.8||IN||plus.google.com.||A||173.194.113.68||200||1
1391544639.743394||127.0.0.1||8.8.8.8||IN||plus.google.com.||A||173.194.113.72||200||1
1391544639.743394||127.0.0.1||8.8.8.8||IN||plus.google.com.||A||173.194.113.65||200||1
1391544639.743394||127.0.0.1||8.8.8.8||IN||plus.google.com.||A||173.194.113.71||200||1
1391544639.743394||127.0.0.1||8.8.8.8||IN||plus.google.com.||A||173.194.113.67||200||1
1391544639.743394||127.0.0.1||8.8.8.8||IN||plus.google.com.||A||173.194.113.70||200||1
1391544639.743394||127.0.0.1||8.8.8.8||IN||plus.google.com.||A||173.194.113.78||200||1
1391544640.098157||127.0.0.1||8.8.8.8||IN||github.com.||A||192.30.252.131||7||1
1391544640.216162||127.0.0.1||8.8.8.8||IN||ssl-google-analytics.l.google.com.||A||173.194.112.30||299||1

Okay, bonus part, put it all in a MySQL Database:

Install datetime perl module
apt-get install libdatetime-perl

Create a pDNS MySQL user, database and password:

GRANT USAGE ON *.* TO 'pdns'@'localhost' IDENTIFIED BY 'pdns';
GRANT SELECT,CREATE,INSERT,UPDATE ON pdns.* TO 'pdns'@'localhost';
flush privileges;
CREATE DATABASE pdns;

(in passivedns directory, with passivedns daemon running do)

cd tools
perl pdns2db.pl --file /var/log/passivedns.log

Now the data is put into MySQL. You can check it using “echo “select * from pdns limit 10;” | mysql -updns -ppdns -hlocalhost pdns“.

It will look something like:

ID      QUERY           MAPTYPE RR      ANSWER          TTL     COUNT   FIRST_SEEN              LAST_SEEN
38      www.google.com  A       IN      173.194.116.211 296     1       2014-02-04 16:42:06     2014-02-04 16:42:06
39      www.google.com  A       IN      173.194.116.209 296     1       2014-02-04 16:42:06     2014-02-04 16:42:06
40      www.google.com  A       IN      173.194.116.210 296     1       2014-02-04 16:42:06     2014-02-04 16:42:06
41      www.google.com  A       IN      173.194.116.208 296     1       2014-02-04 16:42:06     2014-02-04 16:42:06
42      www.google.com  A       IN      173.194.116.212 296     1       2014-02-04 16:42:06     2014-02-04 16:42:06
44      plus.google.com A       IN      173.194.112.36  299     1       2014-02-04 16:42:06     2014-02-04 16:42:06
45      plus.google.com A       IN      173.194.112.32  299     1       2014-02-04 16:42:06     2014-02-04 16:42:06
46      plus.google.com A       IN      173.194.112.33  299     1       2014-02-04 16:42:06     2014-02-04 16:42:06
47      plus.google.com A       IN      173.194.112.41  299     1       2014-02-04 16:42:06     2014-02-04 16:42:06
48      plus.google.com A       IN      173.194.112.38  299     1       2014-02-04 16:42:06     2014-02-04 16:42:06
49      plus.google.com A       IN      173.194.112.46  299     1       2014-02-04 16:42:06     2014-02-04 16:42:06
50      plus.google.com A       IN      173.194.112.37  299     1       2014-02-04 16:42:06     2014-02-04 16:42:06
51      plus.google.com A       IN      173.194.112.34  299     1       2014-02-04 16:42:06     2014-02-04 16:42:06
52      plus.google.com A       IN      173.194.112.39  299     1       2014-02-04 16:42:06     2014-02-04 16:42:06
53      plus.google.com A       IN      173.194.112.40  299     1       2014-02-04 16:42:06     2014-02-04 16:42:06
54      plus.google.com A       IN      173.194.112.35  299     1       2014-02-04 16:42:06     2014-02-04 16:42:06

Here is a post which describes how to add logging of client IPs into the MySQL DB.

  One Response to “Install passive DNS on Debian”

  1. Adding client IP logging to gamelinux passivedns » we got style says:
    28/05/2014 at 06:54

    […] I have recently added the ability to log the client IP of passivedns from gamelinux (how to install passivedns on debian can be found here): […]

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)