This blog is the source of this info, there are a few others way to do it but this seems superior
Wouldn't you like to know what DNS requests are being made from your network? You ought to. Ideally, pipe it to logstash, do what you want with it (geolocation, etc.) and then send it to a datastore that Kibana can work with (ElasticSearch fits here, the good old "ELK Stack") ... you could also send it to greylog.
One thing that's nice to do is generate a report (daily) of "first time" DNS queries. This is especially useful in a "threat hunting" type scenario, though this guide isn't really aimed at enterprises ..
The problem is you cannot set log-facility
twice in dnsmasq.conf, and setting it to '' is the easiest way to accomplish getting queries to syslog. So there is no choice but to edit the script generating the syslog-facility
sudo cp /opt/vyatta/sbin/vyatta-dns-forwarding.pl ~/vyatta-dns-forwarding.pl.bak
You will need to change the line that reads $output .= "log-facility=/var/log/dnsmasq.log\n";
To make it read $output .= "# log-facility=/var/log/dnsmasq.log\n";
Yes, folks, that's just commenting the line out so you there is a blank entry for log-facility. See dnsmasq documentation which explains what happens when there is no log-facility
explicitly set.
This one-liner works as of 1.10.8 but probably won't change much for some time (if ever?) I suppose it depends on VyattaOS devs.. You will need to be root to perform the following command, which will do the replacement for you
sed -i 's/\$output \.= "log-facility/\$output \.= "# log-facility/' /opt/vyatta/sbin/vyatta-dns-forwarding.pl
sudo -i
configure
set service dns forwarding options log-queries
commit
save
Also, you will obvious need to set up a remote syslog server and tell your EdgeRouter to log to it. This is not hard to do.
sudo -i
configure
show system syslog
global {
facility all {
level info
}
}
host 1.2.3.4 {
facility all {
level info
}
}
For rsyslog this is really easy, open up /etc/rsyslog.conf
or whatever your main rsyslog configuration file is. You probably don't want this in /etc/rsyslog.d/
but I am not sure ...
Make sure /etc/rsyslog.conf
contains the following (you don't really need the tcp since this guide doesn't covery anything like syslog over TCP, SSL+TCP, etc ..
Thanks for this - exactly my problem, along with the duplicate entries in dnsmasq.conf.
It's unfortunate that we have to edit the vyatta scripts, but here we are.