Re: [Dnsmasq-discuss] selecting log queries

2018-03-08 Thread Geert Stappers 
On Thu, Mar 08, 2018 at 09:28:41PM -0800, John Pearson wrote:
> On Thu, Mar 8, 2018 at 12:09 PM, Geert Stappers wrote:
> > On Thu, Mar 08, 2018 at 11:03:53AM -0800, John Pearson wrote:
> > >  ... I meant that in this case collector.githubapp.com &
> > > api.github.com are also domains that I didn't directly request.
> > > They were requested by the page when I went to github.com if that
> > > makes sense.
> >
> > So all requests came from the same webbrowser.
> > Try to understand why the requests should be marked different.
> > Then try to understand why a name server should log them differently.
> 
> Yeah all the requests came from the browser. I can't immediately think of
> how parse out an implicit request versus the page itself querying more
> domains.

OK,  continue your pursuit of "what is the webbrowser doing" with
a tool like mitmproxy   https://mitmproxy.org/ 


Good luck with it. Make it possible that people can read in the discussion 
order,
place responses _below_ previous post.


Groeten
Geert Stappers
-- 
Leven en laten leven

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] selecting log queries

2018-03-08 Thread John Pearson 
Yeah all the requests came from the browser. I can't immediately think of
how parse out an implicit request versus the page itself querying more
domains.

On Thu, Mar 8, 2018 at 12:09 PM, Geert Stappers 
wrote:

> On Thu, Mar 08, 2018 at 11:03:53AM -0800, John Pearson wrote:
> > On Thu, Mar 8, 2018 at 12:55 AM, Geert Stappers wrote:
> > > On Wed, Mar 07, 2018 at 06:09:21PM -0800, John Pearson wrote:
> > > >
> > > > What I'm trying to do: grep log files for domains intentionally asked
> > > > for.
> > >
> > > Mar  7 18:06:04 dnsmasq[29158]: query[A] github.com from 10.1.0.163
> > > Mar  7 18:06:04 dnsmasq[29158]: query[A] github.com from 127.0.0.1
> > > Mar  7 18:06:07 dnsmasq[29158]: query[A] collector.githubapp.com from
> 10.1.0.163
> > > Mar  7 18:06:07 dnsmasq[29158]: query[A] api.github.com from
> 10.1.0.163
> > >
> >
> > Thanks Geert. I meant that in this case collector.githubapp.com &
> > api.github.com are also domains that I didn't directly request. They
> were
> > requested by the page when I went to github.com if that makes sense.
>
> So all requests came from the same webbrowser.
> Try to understand why the requests should be marked different.
> Then try to understand why a name server should log them differently.
>
>
> Groeten
> Geert Stappers
> --
> Leven en laten leven
>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] selecting log queries

2018-03-08 Thread Geert Stappers 
On Thu, Mar 08, 2018 at 11:03:53AM -0800, John Pearson wrote:
> On Thu, Mar 8, 2018 at 12:55 AM, Geert Stappers wrote:
> > On Wed, Mar 07, 2018 at 06:09:21PM -0800, John Pearson wrote:
> > >
> > > What I'm trying to do: grep log files for domains intentionally asked
> > > for.
> >
> > Mar  7 18:06:04 dnsmasq[29158]: query[A] github.com from 10.1.0.163
> > Mar  7 18:06:04 dnsmasq[29158]: query[A] github.com from 127.0.0.1
> > Mar  7 18:06:07 dnsmasq[29158]: query[A] collector.githubapp.com from 
> > 10.1.0.163
> > Mar  7 18:06:07 dnsmasq[29158]: query[A] api.github.com from 10.1.0.163
> >
> 
> Thanks Geert. I meant that in this case collector.githubapp.com &
> api.github.com are also domains that I didn't directly request. They were
> requested by the page when I went to github.com if that makes sense.
 
So all requests came from the same webbrowser.
Try to understand why the requests should be marked different.
Then try to understand why a name server should log them differently.


Groeten
Geert Stappers
-- 
Leven en laten leven

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] selecting log queries

2018-03-08 Thread John Pearson 
Thanks Geert. I meant that in this case collector.githubapp.com &
api.github.com are also domains that I didn't directly request. They were
requested by the page when I went to github.com if that makes sense.

On Thu, Mar 8, 2018 at 12:55 AM, Geert Stappers 
wrote:

> On Wed, Mar 07, 2018 at 06:09:21PM -0800, John Pearson wrote:
> >
> > What I'm trying to do: grep log files for domains intentionally asked
> for.
>
> Mar  7 18:06:04 dnsmasq[29158]: query[A] github.com from 10.1.0.163
> Mar  7 18:06:04 dnsmasq[29158]: query[A] github.com from 127.0.0.1
> Mar  7 18:06:07 dnsmasq[29158]: query[A] collector.githubapp.com from
> 10.1.0.163
> Mar  7 18:06:07 dnsmasq[29158]: query[A] api.github.com from 10.1.0.163
>
>
> Groeten
> Geert Stappers
> --
> Leven en laten leven
>
> ___
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Re: [Dnsmasq-discuss] selecting log queries

2018-03-08 Thread Geert Stappers 
On Wed, Mar 07, 2018 at 06:09:21PM -0800, John Pearson wrote:
> 
> What I'm trying to do: grep log files for domains intentionally asked for.

Mar  7 18:06:04 dnsmasq[29158]: query[A] github.com from 10.1.0.163
Mar  7 18:06:04 dnsmasq[29158]: query[A] github.com from 127.0.0.1
Mar  7 18:06:07 dnsmasq[29158]: query[A] collector.githubapp.com from 10.1.0.163
Mar  7 18:06:07 dnsmasq[29158]: query[A] api.github.com from 10.1.0.163


Groeten
Geert Stappers
-- 
Leven en laten leven

___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] selecting log queries

2018-03-07 Thread John Pearson 
A shot in the dark:

Is there anyway to differentiate or only log domains that are directly
queried? Example:

when I go to github.com from the browser, this is the dnsmasq log file:

Mar  7 18:06:04 dnsmasq[29158]: query[A] github.com from 10.1.0.163
Mar  7 18:06:04 dnsmasq[29158]: forwarded github.com to 8.8.4.4
Mar  7 18:06:04 dnsmasq[29158]: forwarded github.com to 8.8.8.8
Mar  7 18:06:04 dnsmasq[29158]: forwarded github.com to 127.0.0.53
Mar  7 18:06:04 dnsmasq[29158]: query[A] github.com from 127.0.0.1
Mar  7 18:06:04 dnsmasq[29158]: forwarded github.com to 8.8.4.4
Mar  7 18:06:04 dnsmasq[29158]: reply github.com is 192.30.255.113
Mar  7 18:06:04 dnsmasq[29158]: reply github.com is 192.30.255.112
Mar  7 18:06:04 dnsmasq[29158]: reply github.com is 192.30.255.113
Mar  7 18:06:04 dnsmasq[29158]: reply github.com is 192.30.255.112
Mar  7 18:06:07 dnsmasq[29158]: query[A] collector.githubapp.com from
10.1.0.163
Mar  7 18:06:07 dnsmasq[29158]: forwarded collector.githubapp.com to 8.8.4.4
Mar  7 18:06:07 dnsmasq[29158]: reply collector.githubapp.com is 
Mar  7 18:06:07 dnsmasq[29158]: reply
analytics-collector-28944298.us-east-1.elb.amazonaws.com is 52.206.98.11
Mar  7 18:06:07 dnsmasq[29158]: reply
analytics-collector-28944298.us-east-1.elb.amazonaws.com is 54.210.59.237
Mar  7 18:06:07 dnsmasq[29158]: reply
analytics-collector-28944298.us-east-1.elb.amazonaws.com is 34.228.249.31
Mar  7 18:06:07 dnsmasq[29158]: query[A] api.github.com from 10.1.0.163
Mar  7 18:06:07 dnsmasq[29158]: forwarded api.github.com to 8.8.4.4
Mar  7 18:06:07 dnsmasq[29158]: reply api.github.com is 192.30.255.116
Mar  7 18:06:07 dnsmasq[29158]: reply api.github.com is 192.30.255.117


Is there anyway to log or filter only github.com? Instead of queries for
github, collector.githubapp.com, api.github.com.

What I'm trying to do: grep log files for domains intentionally asked for.

Thanks.
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss