Fwd: Logging with Unencrypted DNS, DoT and DoH

paranoid sysadmin paranoid.schizophrenic.2 at gmail.com
Wed Sep 18 14:15:03 UTC 2024 

AFAIK  you are correct that the data is not currently in the ISC supplied
statistics.

HOWEVER, if you are not opposed to rolling your own, have you looked at
dnstap? The raw data is all there for what you asked for. I hacked the
attached script. It runs on my test system, but YMMV

output:
17-Sep-2024  DOT     7726      5.9%
17-Sep-2024  TCP      288      0.2%
17-Sep-2024  UDP   122478     93.9%

Regards!
Paranoid


---------- Forwarded message ---------
From: John W. Blue via bind-users <bind-users at lists.isc.org>
Date: Tue, Sep 17, 2024 at 4:00 PM
Subject: RE: Logging with Unencrypted DNS, DoT and DoH
To: bind-users at lists.isc.org <bind-users at lists.isc.org>


Ralph,



You already may be aware of the BIND webinar’s put on by ISC and presented
by Carsten:



https://www.isc.org/docs/BIND_9webinar2.pdf

https://www.youtube.com/watch?v=7Uu6XvY68SM



If not, spend some time watching the video and would like to point out that
slide 12 lists several COTS vendors that are able to consume the
named.stats output.



John





*From:* bind-users [mailto:bind-users-bounces at lists.isc.org] *On
Behalf Of *Bischof,
Ralph F. (MSFC-IS64)[AEGIS] via bind-users
*Sent:* Tuesday, September 17, 2024 3:40 PM
*To:* bind-users at lists.isc.org
*Subject:* Logging with Unencrypted DNS, DoT and DoH



Hello,



BIND 9.18.7

RHEL 8.10 (Oopta)



I am being asked if it is possible to differentiate the percentage of
queries coming into a server that are unencrypted, DoT and DoH.

Example: For a given 24 hours, 50% were 53, 25% were 853 and 25% were 443.

I cannot find a difference in the query logs to show how the query came
into the server. My only thought at the moment is to run ‘tcpdump’ on all
of the servers and script something.

Is there some way that I just have not found within BIND?

My apologies if this has been asked previously.



Thank you,

*Ralph F. Bischof, Jr. |* *Leidos*

DDI Service Architect

Digital Modernization Sector



Ralph.Bischof at nasa.gov | www.leidos.com
<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.leidos.com%2F&data=05%7C02%7Cralph.bischof%40nasa.gov%7Cffe474bf7c714c8a913b08dc4cd7972f%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C638469736078828844%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=TZSJjHnaQPPBBZUTk8LGL0RNQjcuxrhzmmxzDNuy7q0%3D&reserved=0>

+1 (256) 682-9145 *M*






-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list

ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


-- 


paranoid sysadmin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240918/9c6cbb87/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: qnd_dnstap_extract.sh
Type: application/octet-stream
Size: 1047 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240918/9c6cbb87/attachment.obj>

More information about the bind-users mailing list