3

I would like to be able to get the public IPs of the websites I am accessing with my PC in a way such as: 

www.google.es - public IP1 
www.cdn.facebook.com - public IP2

and so on. I think this should be done by logging DNS traffic, so I tried using wireshark as part of a solution I found in another answer:

tshark -f "udp port 53" -Y "dns.qry.type == A and dns.flags.response == 0"

However this seems to only show connections between my router and my machine, the list is full of pairs such as:

192.168.200.250 -> 192.168.200.1
192.168.200.1 -> 192.168.200.250`
Improve this question
3
  • do you want get public IPs for specific sites or all your traffic ? Commented Nov 28, 2016 at 9:54
  • all my traffic, as my goal is to create somewhat of a database Commented Nov 28, 2016 at 9:55
  • If you have a consumer/home ISP provided router it is probably set as your DNS server to optimize network performance, so DNS requests and responses travel at the IP level between your machine and the router. Even if you used another DNS server that server still would never be the destination system(s). You want to look at the name and address(es) in the body of the DNS response, but you are excluding the responses with flags.response==0. Instead select dns.flags.response==1 and add dns.flags.rcode==0 to ignore responses that don't actually contain a result. Commented Nov 28, 2016 at 13:38

2 Answers 2

Reset to default
2

You can install DNSmasq locally and add this option to the conf file log-facility=/var/log/dnsmasq.log log-queries then set your system to use 127.0.0.1 or ::1 as the DNS resolver its work for me.

Then extract data as any format you want and do what ever you want with it

or install Bind locally. Most distros default install of Bind will be non-autoritative caching-only and add a logging {} config block (as described in the Bind 9 Configuration Reference).

Improve this answer
1
  • 1
    Thanks for your answer, finally I installed dnsmasq and as you said, everything was in the log file, just needed to filter for replies! Many thanks! Commented Nov 28, 2016 at 13:09
0

This little script may provide the results you're looking for. I've avoided DNS lookups, instead preferring to use actual HTTP requests (ports 80/http and 443/https).

tshark -nlp -f '(port 80 or port 443) and (tcp[tcpflags] & (tcp-syn|tcp-ack)) == (tcp-syn|tcp-ack)' 2>/dev/null |
    stdbuf -oL awk '{print $3}' |
    while IFS= read -r ip
    do
        name=$(dig +short -x "$ip")
        printf "%-16s%s\n" "$ip" "${name:-$ip}"
    done |
    uniq

Example output

212.58.244.27   bbc-vip146.telhc.bbc.co.uk.
78.129.164.123  free.hands.com.
195.20.242.89   195.20.242.89

This code will generate results only for HTTP requests, whereas searching on DNS queries will find anything and everything. However, be aware that it generates the names from a rDNS lookup on the IP address, so there is not always a direct correspondence between the HTTP hostname you accessed and the name returned in the results.

Improve this answer
2
  • thanks a lot, this seems to be working. I am going to try to install dnsmasq as suggested in another answer to try and complement what the script cannot identify. Thanks again for your time! Commented Nov 28, 2016 at 10:22
  • 2
    I did upvote both answers, however as in this stackexchange my reputation is too low the votes are not publicly shown. Commented Nov 28, 2016 at 11:43

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.