PassiveDNS, A tool (by GameLinux) to collect DNS records passively to aid incident handling, Network Security Monitoring (NSM) and general digital forensics.
PassiveDNS sniffs traffic from an interface or reads a pcap-file and outputs the DNS-server answers to a log file. PassiveDNS can cache/aggregate duplicate DNS answers in-memory, limiting the amount of data in the logfile without losing the essense in the DNS answer.
I only found some RPM builds, for example by Slava Dubrovskiy at Altlinux but they were out-of-date (release 0.3.3). I’ve created a new RPM which is up-to-date with release 1.2.0 (b94d776). Feel free to download and rebuild the source RPM (passivedns-1.2.0-3.20151019git3e0611d.cgk.el6.src.rpm) if required. 4 packages will be built: passivedns, passivedns-daemon, passivedns-tools, passivedns-debug.
One thing to note, a patch has been added to this RPM which makes passivedns send it’s logs to syslog via the local6 facility, instead of the local7 facility.
— update
I’m going to write some systemd compatible service scripts for passivedns at RedHat / Centos 7. These will be versioned at github.
Continue reading Gamelinux PassiveDNS RPM (RedHat / Centos)