Dnsmasq

LogZilla App Store application: Dnsmasq

Overview

dnsmasq is a lightweight Linux daemon that provides DNS, DHCP, and TFTP services. It is commonly used in small networks and embedded systems. dnsmasq generates syslog messages for DHCP lease operations and DNS query activity, enabling network asset tracking and security monitoring.

App Function

  • Parse dnsmasq DHCP messages (DHCPACK, DHCPREQUEST, DHCPDISCOVER, DHCPNAK, DHCPRELEASE)
  • Parse dnsmasq DNS query logs
  • Extract DHCP lease metadata (IP, hostname, MAC)
  • Categorize DNS queries by type (A, AAAA, TXT, PTR, etc.)
  • Flag TXT and ANY queries as security events (potential DNS tunneling)
  • Provide dashboards for DHCP and DNS monitoring
  • Alert on DHCP pool issues and suspicious DNS queries

Vendor Documentation

Device Configuration

Configure dnsmasq to send logs to syslog, then forward syslog to LogZilla:

  1. Edit /etc/dnsmasq.conf and ensure logging is enabled:

    text
    log-queries
log-dhcp

  2. Restart dnsmasq:

    bash
    sudo systemctl restart dnsmasq

  3. Configure rsyslog or syslog-ng to forward dnsmasq logs to LogZilla.

Verification

Generate a DHCP request or DNS query, then verify events appear in LogZilla with the program name dnsmasq or dnsmasq-dhcp.

Incoming Log Format

DHCP Messages

text
DHCPACK(<interface>) <IP address> <MAC address> <hostname>
  • DHCP operation - Message type (DHCPACK, DHCPREQUEST, DHCPDISCOVER, etc.)
  • interface - Network interface name
  • IP address - Assigned IPv4 address
  • MAC address - Client hardware address
  • hostname - Client hostname (if provided)

DNS Query Messages

text
query[<type>] <hostname> from <source_ip>
  • type - DNS record type (A, AAAA, TXT, PTR, MX, etc.)
  • hostname - Queried hostname
  • source_ip - IP address of the DNS client

Parsed Metadata Fields

Tag NameExampleDescription
VendorLinuxVendor name
ProductdnsmasqProduct name
Event ClassnetworkCross-vendor classification (security for TXT/ANY)
MitreIdT1071.004MITRE ATT&CK technique ID (TXT/ANY queries)
MITRE TacticCommand and ControlMITRE ATT&CK tactic
DHCP Message TypeDHCPACKDHCP message type
DHCP Assigned IP192.168.1.100IP address assigned to client
DHCP Assigned Hostnameworkstation-01Hostname of DHCP client
DNS Query TypeADNS query record type
DNS Query Hostnamewww.example.comHostname being queried
DNS Query Source IP192.168.1.50IP address of DNS client

Log Examples

DHCP IP Address Assignment

text
DHCPACK(enp0s3) 192.168.254.101 08:00:55:66:77:88 dhcpnine

DHCP NAK (Pool Exhaustion)

text
DHCPNAK(eth0) 192.168.1.50 00:11:22:33:44:55 no address available

DNS Query

text
query[A] www.example.com from 192.168.1.50

DNS TXT Query (Security Event)

text
query[TXT] _dmarc.example.com from 192.168.1.50

MITRE ATT&CK Mapping

Event TypeTechniqueTactic
DNS TXT queriesT1071.004Command and Control
DNS ANY queriesT1071.004Command and Control

TXT and ANY queries are flagged as potential DNS tunneling or amplification attack indicators.

Dashboards

DashboardDescription
DNSmasq: DHCP OverviewDHCP failures, new devices, lease activity
DNSmasq: DNS OverviewQuery counts, security events, top clients

Triggers

TriggerDescription
DNSmasq: MITRE ATT&CK Threat DetectedEvents with MITRE technique mapping (T1071.004)
DNSmasq: DHCP Pool Issue (NAK)DHCP NAK indicates pool exhaustion
DNSmasq: DNS TXT QueryTXT queries may indicate DNS tunneling
DNSmasq: DNS ANY QueryANY queries may indicate reconnaissance
DNSmasq: Service ErrorService-level errors (severity <= 3)
Dnsmasq | LogZilla Documentation