As I bind'om looking for viruses ...
Well, I’ll say right away that it’s not the viruses themselves, but their activity, but nevertheless discovered a lot of new things about where my computers, phones and tablet go.
But it was evening, there was nothing to do ... It was raining, the Internet suspiciously slowed down, although it seemed like 8 megabits and everything had to “fly”. The home equipment park that is connected to the world wide web is small - a desktop computer, a laptop, a tablet, a satellite tuner with Linux, 3 smartphones and a deadly servachoon-cheonchik with debian and xen (with five more constantly running virtual OCs). Not a lot is not enough, but to constantly maintain, update and check for viruses all this economy takes money (licensed software) and time, which, as always, does not exist. And at some point, it was decided to completely abandon the antiviruses, or buy them, update ... Yes, and subjectively slows down with them all ...
More than a year has passed since I refused anti-virus software. Everything works, everything is fine, But ... "You lead a hamster? - And he is!
I’m a web programmer, so I set up dns (bind9) for myself on the server, in which I created a .dev zone for development (sooooo convenient, see [tyts] ), and for one I turned on logging, let it be just in case. The address of my local DNS server distributes the DHCP ADSL modem as the main DNS server on the network.
Then one day I decided to see what was written in the DNS server logs. It turned out that one of the home computers is constantly knocking; do not understand where:
I definitely did not go there, it means someone else. Virus prophylaxis was carried out, and a malware was indeed found and “cured”. This would be the end of a fairy tale, but I did not stop at that. I wanted to analyze the accumulated DNS server logs more deeply and in a convenient form, maybe something else was happening besides my will and desires.
')
And bingo - I was counted (as in that cartoon). I watch advertisements and I am persistently considered all sorts of counters. Of course, it is not a secret to anyone that on most of the sites a wide variety of attendance counters, metrics and advertisements are placed from various advertising sites, there is even LIKE social services. networks I don't even know. And why, what would they think of me, would they show annoying ads, why should I not need them? With this we need to do something.
It is necessary to solve two problems - to analyze the logs in a convenient form, and to block unnecessary sites (counters, advertising, etc.), because putting an advertisement hall on all computers is somehow not an option, and I also did not want to do the Internet through a proxy. Ways to block a lot, but for myself I chose to substitute the real IP address of the DNS with my local one. That is, local DNS configurations.
With the first point it was thought, there will be no problems. All good is written to us. A wonderful bash script was found - able to show the most visited sites, parsing logs and a Ruby project Bind log analyzer that converts logs to a mysql database and it was stated that it has a web interface for viewing results. Just hot on the heels was found the resource http://pgl.yoyo.org/adservers/ on which everything seems to be there, and lists of domains that can be safely banned, and a description of how to do it, but ... I do not know how in bind8, but bind9 strongly cursed the empty zone offered on that site, and browsers convulsively did not complete the page loading process, trying to load counters and advertisements on the page, not understanding where the dog was digging.
The first script did not fit right away since Logies were for half a year, there was no rotation of logs, and, besides, the option to save the access time to the DNS server was not enabled. The second Bind log analyzer, in which the log analysis was set up, but it was possible to launch the web interface as well. I had to bike.
So, about the bike. Called statdnslog, it lies on a githaba and consists of two parts: utilities and a web interface.
Utilities can:
- parse the log files of requests to DNS Bind9;
- save the data to the database (mysql);
- create prohibition lists based on lists from pgl.yoyo.org (for example);
- adding new DNS to the list of prohibitions from its list (a text file with DNS listings);
- generate DNS presets for BIND9.
WEB interface:
- displays statistics sorted by date (by default, the top visited) and other fields;
- shows the most visited DNS and how many times visited;
- highlight with color (red) in the general list of visited DNS, DNS from the list of prohibited.
By the way, I will say that redefining the DNS will not save anything from anything and this is not a means of protection. Protection can be antiviruses, firewalls, a proxy with a traffic analyzer, and other specialized means of protection, however, in the case of DNS traffic analysis, it’s warned, which means it’s armed, and who, where and when you go from family, you can see.
Once again the link to github: https://github.com/mcdir/statdnslog
Website: http://statdns.nedze.com/
Demo version of the WEB interface: http://demo.statdns.nedze.com/
Additional material
Enabling DNS BIND9 logging Clause logs - http://www.zytrax.com/books/dns/ch7/logging.html
How to enable the named / bind / DNS full logging - http://stackoverflow.com/questions/11153958/how-to-enabled-named-bind-dns-full-logging
Bind Logs - Top DNS Queries http://www.pablumfication.co.uk/2010/09/03/bind-logs-top-dns-queries/
But it was evening, there was nothing to do ... It was raining, the Internet suspiciously slowed down, although it seemed like 8 megabits and everything had to “fly”. The home equipment park that is connected to the world wide web is small - a desktop computer, a laptop, a tablet, a satellite tuner with Linux, 3 smartphones and a deadly servachoon-cheonchik with debian and xen (with five more constantly running virtual OCs). Not a lot is not enough, but to constantly maintain, update and check for viruses all this economy takes money (licensed software) and time, which, as always, does not exist. And at some point, it was decided to completely abandon the antiviruses, or buy them, update ... Yes, and subjectively slows down with them all ...
More than a year has passed since I refused anti-virus software. Everything works, everything is fine, But ... "You lead a hamster? - And he is!
I’m a web programmer, so I set up dns (bind9) for myself on the server, in which I created a .dev zone for development (sooooo convenient, see [tyts] ), and for one I turned on logging, let it be just in case. The address of my local DNS server distributes the DHCP ADSL modem as the main DNS server on the network.
Then one day I decided to see what was written in the DNS server logs. It turned out that one of the home computers is constantly knocking; do not understand where:
01-Nov-2013 23:11:03.128 queries: info: client 192.168.1.11#63500: query: yfp2lvdyye86s78.pp.ua IN A + (192.168.1.1) 01-Nov-2013 23:11:04.138 queries: info: client 192.168.1.11#63500: query: yfp2lvdyye86s78.pp.ua IN A + (192.168.1.1) 01-Nov-2013 23:11:09.867 queries: info: client 192.168.1.11#58461: query: yfp2lvdyye86s78.free IN A + (192.168.1.1) 01-Nov-2013 23:11:15.390 queries: info: client 192.168.1.11#52119: query: yfp2lvdyye86s78.ce.ms IN A + (192.168.1.1) 01-Nov-2013 23:11:21.006 queries: info: client 192.168.1.11#50737: query: yfp2lvdyye86s78.net IN A + (192.168.1.1) 01-Nov-2013 23:11:26.512 queries: info: client 192.168.1.11#54267: query: 35pa1j6h47e1l7v.tk IN A + (192.168.1.1) I definitely did not go there, it means someone else. Virus prophylaxis was carried out, and a malware was indeed found and “cured”. This would be the end of a fairy tale, but I did not stop at that. I wanted to analyze the accumulated DNS server logs more deeply and in a convenient form, maybe something else was happening besides my will and desires.
')
And bingo - I was counted (as in that cartoon). I watch advertisements and I am persistently considered all sorts of counters. Of course, it is not a secret to anyone that on most of the sites a wide variety of attendance counters, metrics and advertisements are placed from various advertising sites, there is even LIKE social services. networks I don't even know. And why, what would they think of me, would they show annoying ads, why should I not need them? With this we need to do something.
It is necessary to solve two problems - to analyze the logs in a convenient form, and to block unnecessary sites (counters, advertising, etc.), because putting an advertisement hall on all computers is somehow not an option, and I also did not want to do the Internet through a proxy. Ways to block a lot, but for myself I chose to substitute the real IP address of the DNS with my local one. That is, local DNS configurations.
With the first point it was thought, there will be no problems. All good is written to us. A wonderful bash script was found - able to show the most visited sites, parsing logs and a Ruby project Bind log analyzer that converts logs to a mysql database and it was stated that it has a web interface for viewing results. Just hot on the heels was found the resource http://pgl.yoyo.org/adservers/ on which everything seems to be there, and lists of domains that can be safely banned, and a description of how to do it, but ... I do not know how in bind8, but bind9 strongly cursed the empty zone offered on that site, and browsers convulsively did not complete the page loading process, trying to load counters and advertisements on the page, not understanding where the dog was digging.
The first script did not fit right away since Logies were for half a year, there was no rotation of logs, and, besides, the option to save the access time to the DNS server was not enabled. The second Bind log analyzer, in which the log analysis was set up, but it was possible to launch the web interface as well. I had to bike.
So, about the bike. Called statdnslog, it lies on a githaba and consists of two parts: utilities and a web interface.
Utilities can:
- parse the log files of requests to DNS Bind9;
- save the data to the database (mysql);
- create prohibition lists based on lists from pgl.yoyo.org (for example);
- adding new DNS to the list of prohibitions from its list (a text file with DNS listings);
- generate DNS presets for BIND9.
WEB interface:
- displays statistics sorted by date (by default, the top visited) and other fields;
- shows the most visited DNS and how many times visited;
- highlight with color (red) in the general list of visited DNS, DNS from the list of prohibited.
By the way, I will say that redefining the DNS will not save anything from anything and this is not a means of protection. Protection can be antiviruses, firewalls, a proxy with a traffic analyzer, and other specialized means of protection, however, in the case of DNS traffic analysis, it’s warned, which means it’s armed, and who, where and when you go from family, you can see.
Once again the link to github: https://github.com/mcdir/statdnslog
Website: http://statdns.nedze.com/
Demo version of the WEB interface: http://demo.statdns.nedze.com/
Additional material
Enabling DNS BIND9 logging Clause logs - http://www.zytrax.com/books/dns/ch7/logging.html
How to enable the named / bind / DNS full logging - http://stackoverflow.com/questions/11153958/how-to-enabled-named-bind-dns-full-logging
Bind Logs - Top DNS Queries http://www.pablumfication.co.uk/2010/09/03/bind-logs-top-dns-queries/
Source: https://habr.com/ru/post/221917/
All Articles