Logging with Unencrypted DNS, DoT and DoH
Borja Marcos
borjam at sarenet.es
Fri Sep 20 06:51:02 UTC 2024
> On 17 Sep 2024, at 22:39, Bischof, Ralph F. (MSFC-IS64)[AEGIS] via bind-users <bind-users at lists.isc.org> wrote:
>
> <!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --> Hello,
> BIND 9.18.7
> RHEL 8.10 (Oopta)
> I am being asked if it is possible to differentiate the percentage of queries coming into a server that are unencrypted, DoT and DoH.
> Example: For a given 24 hours, 50% were 53, 25% were 853 and 25% were 443.
> I cannot find a difference in the query logs to show how the query came into the server. My only thought at the moment is to run ‘tcpdump’ on all of the servers and script something.
> Is there some way that I just have not found within BIND?
You can use the awesome Dnstap for that. Much better than using pcap because it provides context.
For the CLIENT_QUERY and CLIENT_RESPONSE messages. the response_port field will give you that data per query.
Note that your mileage might vary if you use other DNS servers. As far as I know Bind has the most comprehensive Dnstap implementation by far.
Cheers,
Borja.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240920/ef01c32d/attachment.sig>
More information about the bind-users
mailing list