I was thinking of starting this with a DNS joke, but then I realized it could take 24 hours before anyone would get it. Now let’s all pretend that I didn’t just tell that joke. Speaking of DNS, has anyone looked at a Microsoft DNS log? Quite an interesting, captivating read, if you were a sloth. To make matters worse, when it starts to get larger than 100 MB opening it isn’t very fun. Let me rephrase my original statement: Sloths also think logs are not fun. But there is hope.
Brah, do you even parse?
Manually reading log files is headed out. If you’re looking for something specific, you need to parse the log file and compare it to something you’re looking for. For this I chose to use Python. I know there are a lot of other ways of doing it, but I’ve been interested in trying some things out with Python.
First, if you don’t know how to setup DNS logging, you’ll need to do that.
- Open your DNS snap-in.
- Right click your DNS Server and go to Properties.
- Go to the Debug Logging
- Check the box for Log packets for debugging.
- Choose the file path and name of the log.
- Choose a size that you’re comfortable with and hit OK.
Moving to the meat of the program we will want to import 2 libraries.
import os.path import re
After that let’s set the location for the DNS files. You’ll want to customize this.
scriptpath = os.path.dirname(r"\\myserver\location\dnslogs\ ") dnsFile = os.path.join(scriptpath, 'dns.log')
Then we’ll want to declare a list to be used.
dnsList = []
Let’s parse out the log file now. I even included comments to make this for an easy read.
with open(dnsFile,'r') as myDnsFile: for dnsLine in myDnsFile: # Only use lines that have Snd to reduce the size of the search. if re.findall(r'Snd',dnsLine) == ['Snd']: # Use regex to parse everything between the parentheses dnsSub = re.findall(r'\)(.+?)\(',dnsLine) # Join each using a period to var dnsUrl dnsUrl = '.'.join(dnsSub) # Use regex to find the IP address ipSub = re.findall(r'\d+\.\d+\.\d+\.\d+',dnsLine) ipRequest = '.'.join(ipSub) # Use regex to find the date dateSub = re.findall(r'\d+\/\d+\/\d+',dnsLine) date = '/'.join(dateSub) # Use regex to find the time timeSub = re.findall(r'\d+\:\d+\:\d+ .[M]',dnsLine) time = ':'.join(timeSub) # Add to dnsList for ease of use. dnsList.append([dnsUrl,ipRequest,date,time])
Next we’ll want to compare this against something. Let’s say you want to make sure no one is making requests to known malware. Let’s start by importing a good malware list.
import urllib.request blackListUrl = urllib.request.urlopen('http://mirror1.malwaredomains.com/files/justdomains') blackList = [] blackList = blackListUrl.read().decode('utf-8').splitlines()
Wow, that was a whole lot easier to parse out and get good information from.
The last thing would be to compare the two lists.
for eachDnsList in dnsList: for eachBlackList in blackList: if eachBlackList == eachDnsList[0]: print("Match", eachDnsList[0], " was accessed by ", eachDnsList[1])
There you have it. The full file will look like this.
import os.path import re import urllib.request # Location of the DNS File # You'll want to customize this. scriptpath = os.path.dirname(r"\\myserver\location\dnslogs\ ") # DNS file name dnsFile = os.path.join(scriptpath, 'dns.log') # Location of black list database blackListUrl = urllib.request.urlopen('http://mirror1.malwaredomains.com/files/justdomains') # Declare lists to be used blackList = [] dnsList = [] # Create a list of lists from the Microsoft DNS file. with open(dnsFile,'r') as myDnsFile: for dnsLine in myDnsFile: # Only use lines that have Snd to reduce the size of the search. if re.findall(r'Snd',dnsLine) == ['Snd']: # Use regex to parse everything between the parentheses dnsSub = re.findall(r'\)(.+?)\(',dnsLine) # Join each using a period to var dnsUrl dnsUrl = '.'.join(dnsSub) # Use regex to find the IP address ipSub = re.findall(r'\d+\.\d+\.\d+\.\d+',dnsLine) ipRequest = '.'.join(ipSub) # Use regex to find the date dateSub = re.findall(r'\d+\/\d+\/\d+',dnsLine) date = '/'.join(dateSub) # Use regex to find the time timeSub = re.findall(r'\d+\:\d+\:\d+ .[M]',dnsLine) time = ':'.join(timeSub) # Add to list dnsList.append([dnsUrl,ipRequest,date,time]) # Create a list from the black list file. blackList = blackListUrl.read().decode('utf-8').splitlines() # Compare both lists for eachDnsList in dnsList: for eachBlackList in blackList: if eachBlackList == eachDnsList[0]: print("Match", eachDnsList[0], " was accessed by ", eachDnsList[1], " on ", eachDnsList[2], eachDnsList[3]