Difference between revisions of "DNS Tracking with BIND"
Jump to navigation
Jump to search
(Created page with "If you want to "spy" on a program and see if it is "calling home", it can be done with BIND / NAMED. Remember, BIND / NAMED keeps its lookup cache in RAM, so it needs to be dumped into a file to read (IE, it's a multi-step process) === Set BIND / NAMED Up === Add the following in the Options section of /etc/bind/named.conf (or whatever directory the configuration file is in) * dump-file "/var/cache/bind/named_dump.db"; (That's usually the default path, wit...") |
m |
||
Line 1: | Line 1: | ||
If you want to "spy" on a program and see if it is "calling home", it can be done with BIND / NAMED. Remember, BIND / NAMED keeps its lookup cache in RAM, so it needs to be dumped into a file to read (IE, it's a multi-step process) | If you want to "spy" on a program and see if it is "calling home", it can be done with BIND / NAMED. Remember, BIND / NAMED keeps its lookup cache in RAM, so it needs to be dumped into a file to read (IE, it's a multi-step process) | ||
=== Set BIND / NAMED Up === | ===Set BIND / NAMED Up=== | ||
Add the following in the Options section of /etc/bind/named.conf (or whatever directory the configuration file is in) | Add the following in the Options section of /etc/bind/named.conf (or whatever directory the configuration file is in) | ||
* dump-file "/var/cache/bind/named_dump.db"; (That's usually the default path, with any file name desired) | * dump-file "/var/cache/bind/named_dump.db"; (That's usually the default path, with any file name desired) | ||
=== Command for Viewing File === | ===Command for Viewing File=== | ||
rndc dump -cache (older version used a 'double dash': rndc dump --cache) | rndc dump -cache (older version used a 'double dash': rndc dump --cache) | ||
=== Find the String You're Looking for === | ===Find the String You're Looking for=== | ||
grep "WhatEverStringYou'reSeachingFor" /tmp/cache/bind/named_dump.db | grep "WhatEverStringYou'reSeachingFor" /tmp/cache/bind/named_dump.db | ||
=== Notes === | |||
There might be a slight delay if you ping a site, then dump the cache to a text file, and find the site pinged isn't listed. Wait a couple of seconds and then dump it again. |
Latest revision as of 11:32, 7 September 2022
If you want to "spy" on a program and see if it is "calling home", it can be done with BIND / NAMED. Remember, BIND / NAMED keeps its lookup cache in RAM, so it needs to be dumped into a file to read (IE, it's a multi-step process)
Set BIND / NAMED Up
Add the following in the Options section of /etc/bind/named.conf (or whatever directory the configuration file is in)
- dump-file "/var/cache/bind/named_dump.db"; (That's usually the default path, with any file name desired)
Command for Viewing File
rndc dump -cache (older version used a 'double dash': rndc dump --cache)
Find the String You're Looking for
grep "WhatEverStringYou'reSeachingFor" /tmp/cache/bind/named_dump.db
Notes
There might be a slight delay if you ping a site, then dump the cache to a text file, and find the site pinged isn't listed. Wait a couple of seconds and then dump it again.