It's not powerdns specific, but we have been using packetbeat for that sort of work.
Chris Stradtman On Mon, Apr 2, 2018 at 6:06 AM, Brian Candler <[email protected]> wrote: > I'm investigating how to monitor DNS queries as a source of security > information for breach detection. In the case of client machines, we can > check the queries against a blacklist of known C&C or malware domains; in > the case of servers, we know they should only be making outbound > connections to a very limited set of domains, so we can highlight any > queries outside of a restricted whitelist. > > I notice that pdns-recursor has a log-dns-queries option, but the manual > warns: "Only enable for debugging!" > > I therefore wonder what approaches other people have taken to this > problem. Is it possible to do this efficiently within pdns itself, e.g. > using LUA [^1]? Should I put dnsdist in front [^2]? Or should I be > passively sniffing the DNS query packets? > > I am happy for a degree of local aggregation to be done: e.g. if the same > client queries the same domain 100 times in a minute, then a single > aggregate record rather than 100 separate logs is fine (probably preferable > in fact). > > On searching I came across these projects: > > https://github.com/DNS-OARC/dsc > https://github.com/DNS-OARC/PacketQ > https://github.com/JustinAzoff/bro-pdns > > Does anyone here have experience doing something similar, and what worked > well? > > Thanks, > > Brian Candler. > > [^1] https://doc.powerdns.com/recursor/lua-config/protobuf.html > > [^2] I found these: > > https://dnsdist.org/reference/protobuf.html > https://dnsdist.org/reference/dnstap.html > > _______________________________________________ > Pdns-users mailing list > [email protected] > https://mailman.powerdns.com/mailman/listinfo/pdns-users > --
_______________________________________________ Pdns-users mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/pdns-users
