Kyle Fiducia wrote: > But the logs I am seeing coming out of DNS tap reference the > responding authoritative server. So it mentions "evil-host.tld" but > gives the authoritative nameserver IP address that responded with the > A record, not the contents of the A record, so 1.2.3.4 is not present > in my logs.
Hi, Kyle: The data you're looking for is going to be included in the DNS answer section of the DNS response message payload. And there might be more than one A record for "evil-host.tld" in the response, of course. What tool are you using to decode your dnstap logs? The three dedicated tools that I'm aware of (the standalone dnstap-ldns and golang-dnstap tools, and the dnstap-read tool included with BIND) default to using a compact one line per message representation that resembles what you described above, but they also have a more verbose format that can be enabled with the '-y' parameter which includes a full decode of the DNS response sections. BTW, at one point I was working on adding support for decoding Frame Streams files with dnstap-encoded payloads to Wireshark. I started it but didn't finish it; the hardest part looked like it was going to be integrating a protobuf decoder and code generator into the build system (and making it work on the platforms supported by Wireshark), rather than actually implementing the dnstap dissector. -- Robert Edmonds _______________________________________________ dnstap mailing list [email protected] http://lists.redbarn.org/mailman/listinfo/dnstap
