I´m currently working on a project (for school) to set up a program which analyses DNS-queries to be used in Docker-Swarm and Kubernetes. For testing purposes I received some (supposedly dnsmasq) logs. They look like this:
Jun 20 01:01:02 dnsmasq[979]: **461642923** 193.x.y.z/40887 query[AAAA] www.example.com from 193.x.y.z
Jun 20 01:01:02 dnsmasq[979]: **461642923** 193.x.y.z/40887 forwarded www.example.com to 193.x.y.z
Jun 20 01:01:02 dnsmasq[979]: **461642923** 193.x.y.z/40887 reply www.example.com is <CNAME>
Jun 20 01:01:02 dnsmasq[979]: **461642923** 193.x.y.z/40887 reply example.com is NODATA-IPv6
As you can see, there is a conntrack number (bold) in these logs which is used to analyze the queries. Since I have no access to the source of these queries I tried to set up a dnsmasq cache myself. It works fine although my query-logs do not contain the conntrack number.
On my CentOS 7 machine I can see dnsmasq running like this:
2940 ? S 0:00 /usr/local/sbin/dnsmasq --log-queries --log-facility=/tmp/test42.txt --conntrack
From the log-file I can tell, that dnsmasq was compiled with conntrack available:
Dec 13 20:22:22 dnsmasq[3111]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth no-DNSSEC loop-detect inotify
Still i dont get conntrack numbers in my query-logs:
Dec 13 20:37:40 dnsmasq[3111]: reply ftp.uni-stuttgart.de is 129.69.8.112
Dec 13 20:37:40 dnsmasq[3111]: reply mirror.hostnet.nl is 91.184.8.79
Dec 13 20:37:40 dnsmasq[3111]: reply mirror.veriteknik.net.tr is 94.103.33.100
Dec 13 20:37:40 dnsmasq[3111]: reply pkg.adfinis-sygroup.ch is 95.128.34.165
I would appreciate any ideas on where these numbers are coming from or which data i have to link to my logs to get a result as shown above.
