Administrateur & Développeur système UNIX/Linux

Pour enregistrer l’ensemble des requêtes soumises à votre serveur DNS bind, il faut ajouter ce bloc à votre fichier de configuration :

// Logging
logging {
 category "default" { "debug"; };
 category "general" { "debug"; };
 category "database" { "debug"; };
 category "security" { "debug"; };
 category "config" { "debug"; };
 category "resolver" { "debug"; };
 category "xfer-in" { "debug"; };
 category "xfer-out" { "debug"; };
 category "notify" { "debug"; };
 category "client" { "debug"; };
 category "unmatched" { "debug"; };
 category "network" { "debug"; };
 category "update" { "debug"; };
 category "queries" { "debug"; };
 category "dispatch" { "debug"; };
 category "dnssec" { "debug"; };
 category "lame-servers" { "debug"; };

 channel "debug" {
 file "/var/log/named.log" versions 3 size 10m;
 print-time yes;
 print-category yes;
 };
};

L’ensemble des requêtes et opérations effectuées par le serveur sera alors logué. Voici un exemple de sortie type :

18-May-2010 09:46:06.775 queries: client 192.168.2.26#64549: query: www.liberation.fr IN A +
18-May-2010 09:46:06.776 queries: client 192.168.2.26#64550: query: images.apple.com IN A +
18-May-2010 09:46:06.776 queries: client 192.168.2.26#64551: query: permanent.nouvelobs.com IN A +
18-May-2010 09:46:06.823 queries: client 192.168.1.4#58414: query: pagead2.googlesyndication.com IN A +
18-May-2010 09:46:06.997 queries: client 192.168.2.26#64552: query: tempsreel.nouvelobs.com IN A +
18-May-2010 09:46:07.022 queries: client 192.168.1.4#57886: query: googleads.g.doubleclick.net IN A +
18-May-2010 09:46:08.023 queries: client 192.168.1.4#57582: query: oswald.pages.de IN A +
18-May-2010 09:46:08.024 queries: client 192.168.1.4#61346: query: twitter.com IN A +
18-May-2010 09:46:08.024 queries: client 192.168.1.4#51376: query: www.facebook.com IN A +
18-May-2010 09:46:08.733 queries: client 192.168.100.25#43974: query: 10.1.168.192.sbl-xbl.spamhaus.org IN A +
18-May-2010 09:46:08.797 queries: client 192.168.100.25#43974: query: 10.1.168.192.bl.spamcop.net IN A +
18-May-2010 09:46:08.859 queries: client 192.168.100.25#43974: query: 10.1.168.192.cbl.abuseat.org IN A +
18-May-2010 09:46:08.859 queries: client 192.168.100.25#43974: query: 10.1.168.192.rbl.mail-abuse.org IN A +
18-May-2010 09:46:09.317 queries: client 192.168.2.29#57087: query: www.facebook.com IN A +
18-May-2010 09:46:09.516 queries: client 192.168.100.25#43974: query: hookah.nl IN MX +
18-May-2010 09:46:09.558 lame-servers: host unreachable resolving 'ns2.sekeris.nl/A/IN': 2a00:d78:0:102:193:176:144:2#53
18-May-2010 09:46:09.558 lame-servers: host unreachable resolving 'ns2.sekeris.nl/AAAA/IN': 2001:7b8:606::28#53
18-May-2010 09:46:09.558 lame-servers: host unreachable resolving 'ns2.sekeris.nl/A/IN': 2001:500:2e::1#53
18-May-2010 09:46:09.558 lame-servers: host unreachable resolving 'ns2.sekeris.nl/AAAA/IN': 2a00:d78:0:102:193:176:144:2#53
18-May-2010 09:46:09.558 lame-servers: host unreachable resolving 'ns2.sekeris.nl/AAAA/IN': 2001:610:0:800d::2#53

Pour détecter automatiquement l’ensemble des IP utilisées sur un réseau particulier, le scanneur nmap est d’un grand secours :

$ sudo nmap -T4 -sP 192.168.100.0/24

Starting Nmap 5.21 ( http://nmap.org ) at 2010-04-18 10:22 CEST
Nmap scan report for lenny.interact.lu (192.168.100.2)
Host is up (0.00024s latency).
Nmap scan report for scratchy.interact.lu (192.168.100.3)
Host is up (0.00034s latency).
Nmap scan report for flanders.interact.lu (192.168.100.25)
Host is up (0.00023s latency).
Nmap scan report for filmfund.interact.lu (192.168.100.82)
Host is up (0.00047s latency).
Nmap scan report for krusty.interact.lu (192.168.100.86)
Host is up (0.00056s latency).
Nmap scan report for maggie.interact.lu (192.168.100.100)
Host is up (0.00040s latency).
Nmap scan report for otto.interact.lu (192.168.100.254)
Host is up (0.00012s latency).
Nmap done: 256 IP addresses (7 hosts up) scanned in 3.36 seconds

La sortie peut être plus verbeuse (adresse MAC, constructeur de la carte réseau) si le poste est connecté sur le réseau scanné.

nameserver 8.8.8.8
nameserver 8.8.4.4

Pour géolocaliser votre connexion Internet (au niveau du DSLAM de votre FAI), une commande sympa :

$ curl -s "http://www.geody.com/geoip.php?ip=$(curl -s icanhazip.com)" | sed '/^IP:/!d;s/<[^>][^>]*>//g'
IP: XX.XX.XX.XXX Location: Munshausen, Luxembourg   (Visual Online S.A.)