<div dir="ltr"><br><div>AFAIK  you are correct that the data is not currently in the ISC supplied statistics. <br></div><div><br></div><div>HOWEVER, if you are not opposed to rolling your own, have you looked at dnstap? The raw data is all there for what you asked for. I hacked the attached script. It runs on my test system, but YMMV</div><div><br></div><div>output:</div><div><span style="font-family:monospace">17-Sep-2024  DOT     7726      5.9% <br>17-Sep-2024  TCP      288      0.2% <br>17-Sep-2024  UDP   122478     93.9% </span><br></div><div><br></div><div>Regards!</div><div>Paranoid<br></div><div><br></div><div><br></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">---------- Forwarded message ---------<br>From: <b class="gmail_sendername" dir="auto">John W. Blue via bind-users</b> <span dir="auto"><<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a>></span><br>Date: Tue, Sep 17, 2024 at 4:00 PM<br>Subject: RE: Logging with Unencrypted DNS, DoT and DoH<br>To: <a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a> <<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a>><br></div><br><br><div>

<div lang="EN-US" link="blue" vlink="purple">

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Ralph,<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">You already may be aware of the BIND webinar’s put on by ISC and presented by Carsten:<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a href="https://www.isc.org/docs/BIND_9webinar2.pdf" target="_blank">https://www.isc.org/docs/BIND_9webinar2.pdf</a><u></u><u></u></span></p>

<p class="MsoNormal"><a name="m_7506067187057964412_m_-6563398268439423625__MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">https://www.youtube.com/watch?v=7Uu6XvY68SM<u></u><u></u></span></a></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">If not, spend some time watching the video and would like to point out that slide 12 lists several COTS vendors that are able to consume the named.stats output.<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">John<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>

<div>

<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">

<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> bind-users [mailto:<a href="mailto:bind-users-bounces@lists.isc.org" target="_blank">bind-users-bounces@lists.isc.org</a>]

<b>On Behalf Of </b>Bischof, Ralph F. (MSFC-IS64)[AEGIS] via bind-users<br>

<b>Sent:</b> Tuesday, September 17, 2024 3:40 PM<br>

<b>To:</b> <a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>

<b>Subject:</b> Logging with Unencrypted DNS, DoT and DoH<u></u><u></u></span></p>

</div>

</div>

<p class="MsoNormal"><u></u> <u></u></p>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Hello,<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">BIND 9.18.7<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">RHEL 8.10 (Oopta)<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">I am being asked if it is possible to differentiate the percentage of queries coming into a server that are unencrypted, DoT and DoH.

<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Example: For a given 24 hours, 50% were 53, 25% were 853 and 25% were 443.<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">I cannot find a difference in the query logs to show how the query came into the server. My only thought at the moment is to run ‘tcpdump’ on all of the servers and script

 something.<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Is there some way that I just have not found within BIND?<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">My apologies if this has been asked previously.<u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Thank you,</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Ralph F. Bischof, Jr. |</span></b><span style="font-size:10.0pt;font-family:"Calibri","sans-serif""> </span><b><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#901588">Leidos</span></b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">DDI Service Architect</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Digital Modernization Sector</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Calibri","sans-serif""> </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a href="mailto:Ralph.Bischof@nasa.gov" target="_blank"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#0563c1">Ralph.Bischof@nasa.gov</span></a></span><span style="font-size:10.0pt;font-family:"Calibri","sans-serif""> </span><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">| </span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a href="https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.leidos.com%2F&data=05%7C02%7Cralph.bischof%40nasa.gov%7Cffe474bf7c714c8a913b08dc4cd7972f%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C638469736078828844%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=TZSJjHnaQPPBBZUTk8LGL0RNQjcuxrhzmmxzDNuy7q0%3D&reserved=0" target="_blank"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#0563c1">www.leidos.com</span></a><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">+1 (256) 682-9145

<b><span style="color:#901588">M</span></b></span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""><u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>

</div>

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif""> <u></u><u></u></span></p>

</div>

</div>

</div>

-- <br>

Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>

<br>

ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>

<br>

<br>

bind-users mailing list<br>

<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>

<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>

</div></div><br clear="all"><br><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div> </div><div> </div><div>paranoid sysadmin</div></div></div>