Finally got this Docker container ready that can log all DNS and new outbound TCP/UDP connections using a modified version of suricata, an open source intrusion detection system.
If you log DNS requests, this takes it one step further by matching your outbound traffic with DNS requests. This means that it can detect traffic that might be DoH (DNS over https).
Tested using a workstation running Ubuntu (host and container). Alpha software, so please don’t use this on a production network. Happy to make modifications it if you have a use case that others will benefit from.
Thanks to the Courtesy of :