After introducing stash53 (which logs DNS queries and responses with Logstash) yesterday, I got quite a bit of positive feedback. There were a couple of queries whether I could explain what people can do with stash53’s optional MQTT emitter, which I herewith gladly do. (Before continuing, you might want to read what I wrote about MQTT and Mosquitto.)
Supposing you don’t want to run the Logstash and ElasticSearch combo, for whichever reasons, you could use stash53’s MQTT emitter to publish DNS queries to an MQTT broker from which you, from different vantage points in your network, handle these queries.
Assume we’ve compiled stash53 for MQTT, and are invoking it like this,
specifying the address/port of the broker, and the topic on which to publish
I can easily use the Mosquitto CLI utility to “follow” what the broker receives
-v option instructs
mosquitto_sub to display the received topic name):
A small Python utility (console.py) subscribes to the topic and prints out the queries as they’re published to the broker:
As alluded to in the diagram above, I could run any number of similar programs which did different things with the messages they subscribe to. For example:
- Log DNS queries to a flat file
- Connect to an RDBMS and store queries/responses for later searching.
- Publish to a Web page with Web sockets for “live” monitoring
I trust this has clarified things a bit.
I do want to re-iterate that stash53 works with any brand of DNS server, whether authoritative or recursive. :-)