{"id":16894506,"url":"https://github.com/stamparm/dnslog","last_synced_at":"2025-06-26T11:36:26.667Z","repository":{"id":53205952,"uuid":"140697453","full_name":"stamparm/dnslog","owner":"stamparm","description":"Minimalistic DNS logging tool","archived":false,"fork":false,"pushed_at":"2022-01-13T21:43:46.000Z","size":33,"stargazers_count":43,"open_issues_count":0,"forks_count":7,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-04-04T05:51:14.479Z","etag":null,"topics":["cert","dfir","dns","forensics","logging","network"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stamparm.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-07-12T10:18:58.000Z","updated_at":"2024-10-03T05:13:32.000Z","dependencies_parsed_at":"2022-09-15T03:43:06.632Z","dependency_job_id":null,"html_url":"https://github.com/stamparm/dnslog","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/stamparm/dnslog","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stamparm%2Fdnslog","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stamparm%2Fdnslog/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stamparm%2Fdnslog/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stamparm%2Fdnslog/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stamparm","download_url":"https://codeload.github.com/stamparm/dnslog/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stamparm%2Fdnslog/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":262056857,"owners_count":23251757,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cert","dfir","dns","forensics","logging","network"],"created_at":"2024-10-13T17:18:58.188Z","updated_at":"2025-06-26T11:36:26.637Z","avatar_url":"https://github.com/stamparm.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# dnslog\n\n## Information\n\nMinimalistic DNS logging tool. Captures all DNS traffic and stores its textual presentation (in compressed form) to the `/var/log/dnslog/\u003cdate\u003e.log.gz`. Created for the network forensics purposes.\n\n```\n$ zcat /var/log/dnslog/2018-07-12.log.gz | head\n00:00:00.001595 R A 192.168.107.168 192.168.110.233 ocsp.verisign.com 23.37.43.27\n00:00:00.001949 Q PTR 192.168.107.146 199.253.182.182 2.6.e.f.a.b.e.f.f.f.6.5.0.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa ?\n00:00:00.002314 R AAAA 37.48.122.173 194.5.87.10 nsres1.shockmedia.nl -\n00:00:00.002321 R AAAA 37.48.122.173 194.5.87.10 nsres1.shockmedia.nl -\n00:00:00.003777 Q A 192.168.105.140 192.168.107.168 stats.l.doubleclick.net ?\n00:00:00.005158 R A 192.168.107.168 192.168.105.140 stats.l.doubleclick.net 173.194.76.155,173.194.76.156,173.194.76.154,173.194.76.157\n00:00:00.010956 Q * 192.168.110.233 192.168.107.168 star-ds.trendmicro.com.edgekey.net ?\n00:00:00.010969 Q * 192.168.110.233 192.168.107.168 star-ds.trendmicro.com.edgekey.net ?\n00:00:00.011887 Q A 194.5.87.10 198.6.1.161 dnsdfwspa04.dfw9.maint.ops.us.uu.net ?\n00:00:00.011896 Q AAAA 194.5.87.10 198.6.1.161 dnsdfwspa04.dfw9.maint.ops.us.uu.net ?\n```\n\n## Examples\n\n* Find all DNS (`A`) requests for (malicious) domain `a3ax.dip.jp` on date `2018-07-10`:\n\n```\n$ zcat /var/log/dnslog/2018-07-10.log.gz | grep \"Q A\" | grep a3ax.dip.jp\n07:35:55.505057 Q A 192.168.108.98 192.168.107.168 a3ax.dip.jp ?\n07:35:55.506583 Q A 192.168.107.146 27.120.88.165 a3ax.dip.jp ?\n07:35:55.882518 Q A 192.168.107.146 27.120.88.165 a3ax.dip.jp ?\n08:04:10.402277 Q A 192.168.108.98 192.168.107.169 a3ax.dip.jp ?\n08:04:10.402851 Q A 192.168.107.146 192.249.78.205 a3ax.dip.jp ?\n09:04:10.381832 Q A 192.168.108.98 192.168.107.168 a3ax.dip.jp ?\n09:04:10.383926 Q A 192.168.107.146 192.249.78.205 a3ax.dip.jp ?\n10:04:09.247864 Q A 192.168.108.98 192.168.107.168 a3ax.dip.jp ?\n10:04:09.249246 Q A 192.168.107.146 27.120.88.165 a3ax.dip.jp ?\n10:04:09.838727 Q A 192.168.107.146 27.120.88.165 a3ax.dip.jp ?\n10:04:10.428435 Q A 192.168.107.146 192.249.78.205 a3ax.dip.jp ?\n11:04:09.719029 Q A 192.168.108.98 192.168.107.169 a3ax.dip.jp ?\n11:04:09.721314 Q A 192.168.107.146 27.120.88.165 a3ax.dip.jp ?\n12:04:10.857112 Q A 192.168.108.98 192.168.107.168 a3ax.dip.jp ?\n12:04:10.859778 Q A 192.168.107.146 27.120.88.165 a3ax.dip.jp ?\n12:04:11.582157 Q A 192.168.107.146 27.120.88.165 a3ax.dip.jp ?\n12:04:12.306059 Q A 192.168.107.146 192.249.78.205 a3ax.dip.jp ?\n13:04:09.110878 Q A 192.168.108.98 192.168.107.169 a3ax.dip.jp ?\n13:04:09.113022 Q A 192.168.107.146 192.249.78.205 a3ax.dip.jp ?\n14:04:09.491329 Q A 192.168.108.98 192.168.107.168 a3ax.dip.jp ?\n14:04:09.494312 Q A 192.168.107.146 203.119.40.1 a3ax.dip.jp ?\n14:04:09.766260 Q A 192.168.107.146 192.249.78.205 a3ax.dip.jp ?\n```\n\n* Find all successful DNS (`A`) replies for dynamic domains `dyndns.org` on date `2018-07-10`:\n\n```\n$ zcat /var/log/dnslog/2018-07-10.log.gz | grep \"R A\" | grep dyndns.org | grep -v -E \" -$\"\n00:03:51.983455 R A 192.168.107.168 192.168.110.232 members.dyndns.org 162.88.175.12\n00:15:18.533338 R A 192.168.107.168 192.168.110.232 members.dyndns.org 162.88.175.12\n00:26:33.771922 R A 192.168.107.168 192.168.110.232 members.dyndns.org 162.88.175.12\n00:38:00.242124 R A 192.168.107.168 192.168.110.232 members.dyndns.org 162.88.175.12\n00:49:15.570793 R A 192.168.107.168 192.168.110.232 members.dyndns.org 162.88.175.12\n01:00:42.181528 R A 192.168.107.168 192.168.110.232 members.dyndns.org 162.88.175.12\n01:11:57.469337 R A 192.168.107.168 192.168.110.232 members.dyndns.org 162.88.175.12\n01:23:12.772092 R A 192.168.107.168 192.168.110.232 members.dyndns.org 162.88.175.12\n01:34:39.379240 R A 192.168.107.169 192.168.110.232 members.dyndns.org 162.88.175.12\n01:46:05.788148 R A 192.168.107.168 192.168.110.232 members.dyndns.org 162.88.175.12\n01:57:21.114593 R A 192.168.107.168 192.168.110.232 members.dyndns.org 162.88.175.12\n02:08:36.351852 R A 192.168.107.168 192.168.110.232 members.dyndns.org 162.88.175.12\n02:19:51.655763 R A 192.168.107.168 192.168.110.232 members.dyndns.org 162.88.175.12\n02:31:06.892700 R A 192.168.107.168 192.168.110.232 members.dyndns.org 162.88.175.12\n02:42:33.579657 R A 192.168.107.168 192.168.110.232 members.dyndns.org 162.88.175.12\n02:53:48.914302 R A 192.168.107.168 192.168.110.232 members.dyndns.org 162.88.175.12\n03:05:15.324097 R A 192.168.107.168 192.168.110.232 members.dyndns.org 162.88.175.12\n03:16:41.901465 R A 192.168.107.168 192.168.110.232 members.dyndns.org 162.88.175.12\n03:27:57.201255 R A 192.168.107.168 192.168.110.232 members.dyndns.org 162.88.175.12\n03:39:23.688141 R A 192.168.107.168 192.168.110.232 members.dyndns.org 162.88.175.12\n03:50:39.164092 R A 192.168.107.168 192.168.110.232 members.dyndns.org 162.88.175.12\n04:01:54.377031 R A 192.168.107.168 192.168.110.232 members.dyndns.org 162.88.175.12\n04:02:32.902917 R A 208.76.58.1 192.168.110.82 cn-dns1.dyndns.org 80.89.176.10\n04:02:32.902944 R A 208.76.58.1 192.168.110.82 cn-dns1.dyndns.org 80.89.176.10\n04:02:32.903559 R A 208.76.58.1 192.168.110.82 cn-dns2.dyndns.org 80.89.176.11\n04:02:32.903581 R A 208.76.58.1 192.168.110.82 cn-dns2.dyndns.org 80.89.176.11\n04:13:09.701765 R A 192.168.107.168 192.168.110.232 members.dyndns.org 162.88.175.12\n04:24:24.996081 R A 192.168.107.168 192.168.110.232 members.dyndns.org 162.88.175.12\n04:34:56.750744 R A 8.8.8.8 192.168.104.184 checkip.dyndns.org 162.88.100.200,216.146.43.71,162.88.96.194,216.146.38.70,131.186.113.135,131.186.113.136\n04:35:40.237989 R A 192.168.107.168 192.168.110.232 members.dyndns.org 162.88.175.12\n04:40:00.188873 R A 8.8.8.8 192.168.104.184 checkip.dyndns.org 162.88.100.200,216.146.38.70,216.146.43.71,131.186.113.136,131.186.113.135,162.88.96.194\n...\n```\n\n## Prerequisites\n\n* Linux (recommended: Debian/Ubuntu)\n* `python` (version 2.x or 3.x)\n* `pcapy`\n* `dpkt`\n\n## Installation\n1) `sudo su`\n2) `apt-get install git python python-pcapy python-dpkt`\n3) `cd /opt`\n4) `git clone --depth 1 https://github.com/stamparm/dnslog.git`\n5) `crontab -e`  # append the following line\n\n`*/1 * * * * if [ -n \"$(ps -ef | grep -v grep | grep 'dnslog.py')\" ]; then : ; else python /opt/dnslog/dnslog.py \u0026\u003e /var/log/dnslog.log; fi`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstamparm%2Fdnslog","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstamparm%2Fdnslog","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstamparm%2Fdnslog/lists"}