We are testing some Splunk detections and it seems that large TXT-records are not logged at all by passivedns.
The following TXT-records is 2048 chars, which is the max for a TXT record.
$ nslookup -q=TXT mobydick.vaglid.net
The DNS reply gets split into different strings as expected both by Windows and Linux resolvers, but no logs appear in the passivedns logs.
The following TXT-record is 277 chars. For this DNS reply the first 256 chars gets logged by passivedns, but not the second segment.
$nslookup -q=TXT txttest.vaglid.net
[*] PassiveDNS 1.2.0
[*] By Edward Bjarte Fjellskål <edward.fjellskaal@gmail.com>
[*] Using libpcap version 1.5.3
[*] Using ldns version 1.6.16
We are testing some Splunk detections and it seems that large TXT-records are not logged at all by passivedns.
The following TXT-records is 2048 chars, which is the max for a TXT record.
$ nslookup -q=TXT mobydick.vaglid.netThe DNS reply gets split into different strings as expected both by Windows and Linux resolvers, but no logs appear in the passivedns logs.
The following TXT-record is 277 chars. For this DNS reply the first 256 chars gets logged by passivedns, but not the second segment.
$nslookup -q=TXT txttest.vaglid.netCheers, Rolf