Real-Time DNS Logging... JSON over TCP


{"timestamp":"2018-03-25T09:35:08.4942905Z","host":"t20","program":"dns-logger","pid":9432,"client-ip":"","client-port":60165,"server-ip":"","server-port":53,"protocol":"udp","message-type":"query-response","message-size":259,"response-code":"NOERROR","flags":{"aa":0,"tc":0,"rd":1,"ra":1},"question-name":"","question-type":"A","question-class":"IN","section-counts":[4,4,4],"answer-ips":["","","",""]} Syslog over TCP

<135>1 2018-03-25T09:33:28.393911Z t20 dns-logger 13824 - - client query: IN A + ( 27bytes 0 0 0

<135>1 2018-03-25T09:33:28.824174Z t20 dns-logger 13824 - - client response: IN A + ( 259bytes 4 4 4 NOERROR



Tested with an excess of 60,000 DNS queries and responses per second.

Very light-weight with minimal impact on your existing infrastructure.

Run anywhere

Can be installed on DNS servers or network taps.

Use it on authoritative or recursive DNS servers.

Vendor agnostic

Works at the packet capture level and supports all your DNS vendors.

Integrates with existing infrastructure and can feed directly into a SIEM.

No 3rd party drivers

No WinPCAP, npcap or others.

Uses native operating system features to capture data.

TCP & responses

IPv4, TCP and UDP are supported - soon this will include IPv6.

Both DNS queries and responses are captured and logged.

Automated deployment

Silent, unattended installation support for all platforms.

Self-contained with no dependencies.

Automated failover

Automatically fails-over when target servers are unavailable.

Queues messages in memory when no target is available.