DNS traffic accounting

Grant Taylor gtaylor at tnetconsulting.net
Tue Jul 18 17:42:43 UTC 2017

On 07/18/2017 09:09 AM, Abi Askushi wrote:
> I am trying to figure out how could I account the DNS traffic generated 
> from clients in terms of bytes. My setup is a simple caching DNS with 
> several clients querying the DNS server.  I can measure the DNS traffic 
> that is generated from the DNS server on the WAN side by using some 
> monitoring tool (pmacct) but I am not sure how could I account this 
> traffic to the clients that are generating this traffic. By simply 
> monitoring the internal DNS traffic from clients I expect to not be 
> accurate since it will include also cached responses which do not 
> generate WAN traffic.

I'm going to assume that you are doing this for some academic purpose 
and not going to try to bill based on numbers of queries.  (Others have 
commented more about the impracticality of this.)

> Any suggestion how to approach this problem?

I would be tempted to see if named's query log would cover what you 
want.  I've not used it before and have no idea if it's granular enough 
for what you want.

Baring that, I'd be inclined to try IPTables rules to record the bytes 
that each client has sent to / from the DNS server.

If you absolutely need to correlate client queries to outbound server 
queries, I think you're probably going to need to capture the traffic 
and then do some sort of post capture processing to correlate it.  -  I 
know that you can get tcpdump to do this.  You might be able to get 
IPTables to copy the traffic and send it to user-space for capture ~> 
post processing.

Finally, this seems like a strange enough (in my opinion) that I'll ask 
what the motivation is for this request.  I'm wondering if there is a 
different way to accomplish the goal without needing to capture this detail.

Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3717 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170718/902bcbbb/attachment.bin>

More information about the bind-users mailing list