DNS packet syslogging using iptables NFLOG, written in C++. This program parses A, AAAA and PTR type DNS reply packets and logs the details to syslog or console.
Prebuilt .deb/.rpm packages for popular distributions can be downloaded from the Releases page.
nflog_dns requires libfmt, libtins, libnetfilter_log and libspdlog libraries
- sudo apt-get install build-essential libtins-dev libnetfilter-log-dev libspdlog-dev
- make
- sudo make test
- Compile nflog_dns as above
- Optional: Edit the PREFIX in Makefile. By default installs to /usr/local
- sudo make install
- sudo ./start.sh
- sudo ./nflog_dns
- Make some DNS queries and observe the extracted names and IPs
- sudo ./stop.sh
- make deb
- make rpm
- Install nflog_dns as above
- Edit options in /etc/default/nflog_dns to suit your needs
- sudo update-rc.d nflog_dns defaults
- sudo service nflog_dns start
- Install nflog_dns as above
- Edit options in /etc/default/nflog_dns to suit your needs
- sudo systemctl enable nflog_dns.service
- sudo systemctl start nflog_dns.service
% nflog_dns -h
Usage: nflog_dns [OPTION]...
Extract DNS replies from NFLOG group
-g, --group=NUM NFLOG group to bind (default: 123)
-s, --syslog log replies to syslog instead of stdout
-f, --facility=FACILITY facility for syslog logging (default: user)
-l, --level=LOGLEVEL log level for syslog logging (default: info)
-h, --help print this help and exit
-v, --version show version and exit
--log-a=BOOL A record logging (default: yes)
--log-aaaa=BOOL AAAA record logging (default: yes)
--log-cname=BOOL CNAME record logging (default: yes)
--log-mx=BOOL MX record logging (default: yes)
--log-ptr=BOOL PTR record logging (default: yes)
--log-txt=BOOL TXT record logging (default: yes)
--log-noerror=BOOL NOERROR replies logging (default: yes)
--log-formerr=BOOL FORMERR error logging (default: no)
--log-servfail=BOOL SERVFAIL error logging (default: no)
--log-nxdomain=BOOL NXDOMAIN error logging (default: no)
--log-notimpl=BOOL NOTIMPL error logging (default: no)
--log-refused=BOOL REFUSED error logging (default: no)
To log DNS replies, add an iptables rule to send packets to NFLOG group 123:
IPv4:
sudo iptables -A INPUT -p udp --sport 53 -j NFLOG --nflog-group 123IPv6:
sudo ip6tables -A INPUT -p udp --sport 53 -j NFLOG --nflog-group 123To log DNS replies, add an nftables rule to send packets to NFLOG group 123:
sudo nft add rule inet filter input udp sport 53 log group 123A bug in libtins ip6.arpa PTR reply parsing prevents logging IPv6 reverse DNS lookups.
- Run the create_release.sh script