DNS logging to disk

David · September 20, 2021, 8:21pm

Logging options provide DNS query, treatment and answer visibility if required. While there’s a live-log you can view at mytools.management/log (if your device has been granted such permissions on the dashboard - more info in this kb article), but sometimes you want to investigate DNS behaviour from an earlier point in time.

Setup configuration

In order for the software to be able write DNS queries, treatment and answers to disk, consider the following settings in your configuration files:

: Configuration Files

Platform	Default path to config file
pfSense®	`/usr/local/etc/adamone/anmuscle.conf`
ASUS®	`/jffs/addons/adamone/muscle.conf`

Configuration Options

Edit the configuration file on your platform so that it contains the following:

log-level=4
log-file=/var/log/anmuscle.log

Note that the above settings will auto-rotate the file at 8MB in file size. Depending on the amount of activity on your network that may be a few seconds to a few hours of passive DNS data.

On ASUS routers, /var/log is actually written to RAM, so you want to be careful making any additional optional adjustments. However, on pfSense®, usually there’s enough storage capacity to store much more data. Consider the following options when you have sufficient storage to do so:

log-max-filesize=104857600
log-files-rotate=3

The above configuration lines will increase the log file size to 100MB before rotation, and 3 files will be rotated, utilizing up to a maximum of 300MB of disk space in /var/log/.

Log details

Powerful level of detail is now covered with a simple filter of DNS and source IP address, for example:

I 20/9 14:46:06.681181 33820 DNS? 10.180.1.200@59998 UDP4 news.com A [DNS]
I 20/9 14:46:06.681776 33820 DNS> 10.180.1.200@59998 UDP4 news.com 1.1.1.3@53 (timeout 5000 ms)
I 20/9 14:46:06.682017 33820 DNS> 10.180.1.200@59998 UDP4 news.com 1.0.0.3@53 (timeout 5000 ms)
I 20/9 14:46:06.871971 33820 DNS= 10.180.1.200@59998 UDP4 news.com A 34.149.42.100 [1.1.1.3@53]

The format of the log is arranged in a way that makes it practical to analyze with any number of tools that benefit from structured data. For a more thorough analysis, see the following table:

Text	Meaning
`I`	Informational (detail included in log-level 4 and above)
`20/9`	Day/Month of log entry
`14:46:06.681181`	Timestamp of log entry, using operating system time
`33820`	PID (process ID) of the `anmuscle` instance
`DNS?`	DNS question/query
`DNS>`	DNS query forwarded
`DNS=`	DNS answer
`10.180.1.200@59998`	DNS query source and source port number
`UDP4`	DNS query arrived via legacy DNS on IPv4 UDP port 53 (other options could be `UDP6` `TCP4/6` `DoT4/6` or `DoH4/6`
`news.com`	FQDN contained in the DNS query
`A`	DNS record type A (could be any other DNS record type)
`DNS`	DNS record type DNS (could also by `HTTPS`, Type65)
`DNS>` and `1.1.1.3@53`	Query forwarded to `1.1.1.3`
`A 34.149.42.100`	DNS response to the endpoint (when `A` is offered in conjunction with `DNS=`) NOTE that when the answer is your block page IP, it means the DNS query was blocked
`(timeout 5000 ms)`	The length of time `anmuscle` will wait for an answer (does not mean timed out)
`[1.1.1.3@53]`	As the last object in a `DNS=` log entry, this is the answer of the upstream/forward that was used (this could be any one of the upstream servers used in DNSharmony®, for example), so it’s helpful to know which answer was used

Examples of use cases

Question	Query	Sample Answer
What is the first DNS query I made?	`grep "DNS? 10.180.1.200" /var/log/anmuscle.log \| head -1`	`I 20/9 15:50:45.117569 33820 DNS? 10.180.1.200@57371 UDP4 captive.apple.com A [DNS]`
How often has the Facebook pixel been blocked in my logs?	`grep connect\.facebook\.net /var/log/anmuscle.log \|grep "DNS=" \|grep -c "A 10.180.1.1"`	`251` (Note that this will only go back as far as your current anmuscle.log)
What are last 5 blocked DNS queries from me? Ignore mytools, then sort and de-dup.	`grep "DNS= 10.180.1.200" /var/log/anmuscle.log \| grep "A 10.180.1.1" \| grep -v mytools \| tail -5 \| awk '{print $8}' \| sort \| uniq`	`connect.facebook.net` `googleads.g.doubleclick.net` `native.sharethrough.com` `securepubads.g.doubleclick.net`

It is also very helpful to run a continuous log within an ssh session. For example, if attempting to time a log entry with an application launch to see how it behaves:

tail -f /var/log/anmuscle.log | grep "DNS= 10.180.1.200"

The result is a continously-scrolling window of DNS answers received, such as this:

I 20/9 17:01:16.100206 33820 DNS= 10.180.1.200@58066 UDP4 ads-serve.brave.com A 151.101.190.137 [9.9.9.9@53]
I 20/9 17:01:18.574955 33820 DNS= 10.180.1.200@49589 UDP4 www.cnet.com A 199.232.194.154 [1.0.0.3@53]
I 20/9 17:01:18.574990 33820 DNS= 10.180.1.200@49589 UDP4 www.cnet.com A 199.232.198.154 [1.0.0.3@53]
I 20/9 17:01:18.854221 33820 DNS= 10.180.1.200@65204 UDP4 cdn.cookielaw.org A 104.16.148.64 [1.0.0.3@53]
I 20/9 17:01:18.854252 33820 DNS= 10.180.1.200@65204 UDP4 cdn.cookielaw.org A 104.16.149.64 [1.0.0.3@53]
I 20/9 17:01:19.110485 33820 DNS= 10.180.1.200@64203 UDP4 geolocation.onetrust.com A 104.20.185.68 [1.0.0.3@53]
I 20/9 17:01:19.110520 33820 DNS= 10.180.1.200@64203 UDP4 geolocation.onetrust.com A 104.20.184.68 [1.0.0.3@53]
I 20/9 17:01:19.341966 33820 DNS= 10.180.1.200@60116 UDP4 www.gstatic.com A 142.251.41.67 [1.0.0.3@53]
I 20/9 17:01:19.348987 33820 DNS= 10.180.1.200@59435 UDP4 urs.cnet.com A 34.120.203.121 [1.0.0.3@53]
I 20/9 17:01:19.710673 33820 DNS= 10.180.1.200@65470 UDP4 s0.2mdn.net A 10.180.1.1
I 20/9 17:01:22.637071 33820 DNS= 10.180.1.200@64529 UDP4 disqus.com A 151.101.128.134 [1.0.0.3@53]
I 20/9 17:01:22.637106 33820 DNS= 10.180.1.200@64529 UDP4 disqus.com A 151.101.0.134 [1.0.0.3@53]
I 20/9 17:01:22.637169 33820 DNS= 10.180.1.200@64529 UDP4 disqus.com A 151.101.64.134 [1.0.0.3@53]
I 20/9 17:01:22.637208 33820 DNS= 10.180.1.200@64529 UDP4 disqus.com A 151.101.192.134 [1.0.0.3@53]
I 20/9 17:01:29.103609 33820 DNS= 10.180.1.200@59601 UDP4 init.ess.apple.com A 184.84.243.215 [1.0.0.3@53]
I 20/9 17:01:29.103644 33820 DNS= 10.180.1.200@59601 UDP4 init.ess.apple.com A 184.84.243.208 [1.0.0.3@53]
I 20/9 17:01:29.104767 33820 DNS= 10.180.1.200@54656 UDP4 init-p01md.apple.com A 23.43.242.34 [1.0.0.3@53]
I 20/9 17:01:29.104798 33820 DNS= 10.180.1.200@54656 UDP4 init-p01md.apple.com A 23.43.242.19 [1.0.0.3@53]
I 20/9 17:01:32.063833 33820 DNS= 10.180.1.200@60624 UDP4 arstechnica.com A 3.140.233.119 [1.0.0.3@53]
I 20/9 17:01:32.063867 33820 DNS= 10.180.1.200@60624 UDP4 arstechnica.com A 18.116.3.221 [1.0.0.3@53]
I 20/9 17:01:32.212615 33820 DNS= 10.180.1.200@50986 UDP4 mb.moatads.com A 10.180.1.1

In this case, you will need to press CTRL+C to stop the tail -f command.

This documentation refers to adam:ONE® version 4.