DNS traffic accounting

Abi Askushi rightkicktech at gmail.com
Sun Jul 23 16:49:21 UTC 2017

Hi Grant,

Thanx for the reply. My intention is not academic but some business case.
Let me try to describe it. I have some network appliance sitting on a
remote end and using satellite for internet connectivity. The traffic
accounting on the wan is already implemented and dns that is consumed from
the appliance is reported also. What the end user pays at the end of the
day is the volume consumed on the satellite, which is already accuretly
calculated as mentioned. The issue only is the dns traffic. I cannot relate
with current setup which client did what dns traffic. By client i mean a
simple device in the internal network behind the appliance. DNS service is
enabled to this client devices only when they login/authenticate with the
appliance. As soon as they login, the respective IP becomes a member of a
bind9 view that allows recursive queries. Queries drom non authenticated
devices are simply refused. Thus i need to account only traffic from the
authenticated view. Seems that putting iptables rule on the fly as soon as
one logs in can do what i need.


On Jul 18, 2017 20:43, "Grant Taylor via bind-users" <
bind-users at lists.isc.org> wrote:

> On 07/18/2017 09:09 AM, Abi Askushi wrote:
>> I am trying to figure out how could I account the DNS traffic generated
>> from clients in terms of bytes. My setup is a simple caching DNS with
>> several clients querying the DNS server.  I can measure the DNS traffic
>> that is generated from the DNS server on the WAN side by using some
>> monitoring tool (pmacct) but I am not sure how could I account this traffic
>> to the clients that are generating this traffic. By simply monitoring the
>> internal DNS traffic from clients I expect to not be accurate since it will
>> include also cached responses which do not generate WAN traffic.
> I'm going to assume that you are doing this for some academic purpose and
> not going to try to bill based on numbers of queries.  (Others have
> commented more about the impracticality of this.)
> Any suggestion how to approach this problem?
> I would be tempted to see if named's query log would cover what you want.
> I've not used it before and have no idea if it's granular enough for what
> you want.
> Baring that, I'd be inclined to try IPTables rules to record the bytes
> that each client has sent to / from the DNS server.
> If you absolutely need to correlate client queries to outbound server
> queries, I think you're probably going to need to capture the traffic and
> then do some sort of post capture processing to correlate it.  -  I know
> that you can get tcpdump to do this.  You might be able to get IPTables to
> copy the traffic and send it to user-space for capture ~> post processing.
> Finally, this seems like a strange enough (in my opinion) that I'll ask
> what the motivation is for this request.  I'm wondering if there is a
> different way to accomplish the goal without needing to capture this detail.
> --
> Grant. . . .
> unix || die
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170723/f1d3e632/attachment.html>

More information about the bind-users mailing list