Re: [Dnsmasq-discuss] selecting log queries
On Thu, Mar 08, 2018 at 09:28:41PM -0800, John Pearson wrote: > On Thu, Mar 8, 2018 at 12:09 PM, Geert Stappers wrote: > > On Thu, Mar 08, 2018 at 11:03:53AM -0800, John Pearson wrote: > > > ... I meant that in this case collector.githubapp.com & > > > api.github.com are also domains that I didn't directly request. > > > They were requested by the page when I went to github.com if that > > > makes sense. > > > > So all requests came from the same webbrowser. > > Try to understand why the requests should be marked different. > > Then try to understand why a name server should log them differently. > > Yeah all the requests came from the browser. I can't immediately think of > how parse out an implicit request versus the page itself querying more > domains. OK, continue your pursuit of "what is the webbrowser doing" with a tool like mitmproxy https://mitmproxy.org/ Good luck with it. Make it possible that people can read in the discussion order, place responses _below_ previous post. Groeten Geert Stappers -- Leven en laten leven ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] selecting log queries
Yeah all the requests came from the browser. I can't immediately think of how parse out an implicit request versus the page itself querying more domains. On Thu, Mar 8, 2018 at 12:09 PM, Geert Stapperswrote: > On Thu, Mar 08, 2018 at 11:03:53AM -0800, John Pearson wrote: > > On Thu, Mar 8, 2018 at 12:55 AM, Geert Stappers wrote: > > > On Wed, Mar 07, 2018 at 06:09:21PM -0800, John Pearson wrote: > > > > > > > > What I'm trying to do: grep log files for domains intentionally asked > > > > for. > > > > > > Mar 7 18:06:04 dnsmasq[29158]: query[A] github.com from 10.1.0.163 > > > Mar 7 18:06:04 dnsmasq[29158]: query[A] github.com from 127.0.0.1 > > > Mar 7 18:06:07 dnsmasq[29158]: query[A] collector.githubapp.com from > 10.1.0.163 > > > Mar 7 18:06:07 dnsmasq[29158]: query[A] api.github.com from > 10.1.0.163 > > > > > > > Thanks Geert. I meant that in this case collector.githubapp.com & > > api.github.com are also domains that I didn't directly request. They > were > > requested by the page when I went to github.com if that makes sense. > > So all requests came from the same webbrowser. > Try to understand why the requests should be marked different. > Then try to understand why a name server should log them differently. > > > Groeten > Geert Stappers > -- > Leven en laten leven > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] selecting log queries
On Thu, Mar 08, 2018 at 11:03:53AM -0800, John Pearson wrote: > On Thu, Mar 8, 2018 at 12:55 AM, Geert Stappers wrote: > > On Wed, Mar 07, 2018 at 06:09:21PM -0800, John Pearson wrote: > > > > > > What I'm trying to do: grep log files for domains intentionally asked > > > for. > > > > Mar 7 18:06:04 dnsmasq[29158]: query[A] github.com from 10.1.0.163 > > Mar 7 18:06:04 dnsmasq[29158]: query[A] github.com from 127.0.0.1 > > Mar 7 18:06:07 dnsmasq[29158]: query[A] collector.githubapp.com from > > 10.1.0.163 > > Mar 7 18:06:07 dnsmasq[29158]: query[A] api.github.com from 10.1.0.163 > > > > Thanks Geert. I meant that in this case collector.githubapp.com & > api.github.com are also domains that I didn't directly request. They were > requested by the page when I went to github.com if that makes sense. So all requests came from the same webbrowser. Try to understand why the requests should be marked different. Then try to understand why a name server should log them differently. Groeten Geert Stappers -- Leven en laten leven ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] selecting log queries
Thanks Geert. I meant that in this case collector.githubapp.com & api.github.com are also domains that I didn't directly request. They were requested by the page when I went to github.com if that makes sense. On Thu, Mar 8, 2018 at 12:55 AM, Geert Stapperswrote: > On Wed, Mar 07, 2018 at 06:09:21PM -0800, John Pearson wrote: > > > > What I'm trying to do: grep log files for domains intentionally asked > for. > > Mar 7 18:06:04 dnsmasq[29158]: query[A] github.com from 10.1.0.163 > Mar 7 18:06:04 dnsmasq[29158]: query[A] github.com from 127.0.0.1 > Mar 7 18:06:07 dnsmasq[29158]: query[A] collector.githubapp.com from > 10.1.0.163 > Mar 7 18:06:07 dnsmasq[29158]: query[A] api.github.com from 10.1.0.163 > > > Groeten > Geert Stappers > -- > Leven en laten leven > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] selecting log queries
On Wed, Mar 07, 2018 at 06:09:21PM -0800, John Pearson wrote: > > What I'm trying to do: grep log files for domains intentionally asked for. Mar 7 18:06:04 dnsmasq[29158]: query[A] github.com from 10.1.0.163 Mar 7 18:06:04 dnsmasq[29158]: query[A] github.com from 127.0.0.1 Mar 7 18:06:07 dnsmasq[29158]: query[A] collector.githubapp.com from 10.1.0.163 Mar 7 18:06:07 dnsmasq[29158]: query[A] api.github.com from 10.1.0.163 Groeten Geert Stappers -- Leven en laten leven ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] selecting log queries
A shot in the dark: Is there anyway to differentiate or only log domains that are directly queried? Example: when I go to github.com from the browser, this is the dnsmasq log file: Mar 7 18:06:04 dnsmasq[29158]: query[A] github.com from 10.1.0.163 Mar 7 18:06:04 dnsmasq[29158]: forwarded github.com to 8.8.4.4 Mar 7 18:06:04 dnsmasq[29158]: forwarded github.com to 8.8.8.8 Mar 7 18:06:04 dnsmasq[29158]: forwarded github.com to 127.0.0.53 Mar 7 18:06:04 dnsmasq[29158]: query[A] github.com from 127.0.0.1 Mar 7 18:06:04 dnsmasq[29158]: forwarded github.com to 8.8.4.4 Mar 7 18:06:04 dnsmasq[29158]: reply github.com is 192.30.255.113 Mar 7 18:06:04 dnsmasq[29158]: reply github.com is 192.30.255.112 Mar 7 18:06:04 dnsmasq[29158]: reply github.com is 192.30.255.113 Mar 7 18:06:04 dnsmasq[29158]: reply github.com is 192.30.255.112 Mar 7 18:06:07 dnsmasq[29158]: query[A] collector.githubapp.com from 10.1.0.163 Mar 7 18:06:07 dnsmasq[29158]: forwarded collector.githubapp.com to 8.8.4.4 Mar 7 18:06:07 dnsmasq[29158]: reply collector.githubapp.com is Mar 7 18:06:07 dnsmasq[29158]: reply analytics-collector-28944298.us-east-1.elb.amazonaws.com is 52.206.98.11 Mar 7 18:06:07 dnsmasq[29158]: reply analytics-collector-28944298.us-east-1.elb.amazonaws.com is 54.210.59.237 Mar 7 18:06:07 dnsmasq[29158]: reply analytics-collector-28944298.us-east-1.elb.amazonaws.com is 34.228.249.31 Mar 7 18:06:07 dnsmasq[29158]: query[A] api.github.com from 10.1.0.163 Mar 7 18:06:07 dnsmasq[29158]: forwarded api.github.com to 8.8.4.4 Mar 7 18:06:07 dnsmasq[29158]: reply api.github.com is 192.30.255.116 Mar 7 18:06:07 dnsmasq[29158]: reply api.github.com is 192.30.255.117 Is there anyway to log or filter only github.com? Instead of queries for github, collector.githubapp.com, api.github.com. What I'm trying to do: grep log files for domains intentionally asked for. Thanks. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss