Closed Melantrix closed 3 years ago
robcza
commented
5 years ago The bpf filter you have in you example has incorrect syntax.
Anyway, what you need is to process only the traffic between clients and your local resolver like this:
(dst port 53 and dst host $RESOLVER_IP) or (src port 53 and src host $RESOLVER_IP)
$RESOLVER_IP stands for the IP address of your resolver. The IP your clients are sending request to.
Melantrix
commented
5 years ago Thanks for your response. Just to be clear, i have ipv4 and ipv6 so thats why i have a duplicate src host. When i used the filter in tcpdump i saw the correct traffict i was expecting to see. i was trying to filter out any traffic from my resolver to any external ip (which should have used port 53).
Anyway, i tried yours and that worked correctly after i corrected it for a ipv4 and ipv6 addres:
((dst port 53 and dst host
i guess my error was the single port 53 in stead of explicitly stating it per ip address.
Long story short, thanks for your help, it works like intended now! 👍
Hello,
I'm not sure if i'm missing something, or misunderstanding something but i have installed passivdns on an internal dns server (pi-hole) and i was hoping to see all the requests of the clients with passivedns. However, i'm only seeing the traffic the dns server itself is generating towards the upstream servers. I have tried to run it with a BPF filter, but then somehow nothing is being processed. The bpf filter itself is correct because i have check it with tcpdump and it is generating the correct results, as expected. (the filter used is: 'not src host and not src host and dst port 53')
My theory is that the passivedns utility is only looking at outward dns request and not incomming? Is there a way to force to listen to traffic coming in?
any help is appreciated!