Logging DNS Requests - client IP, requested FQDN, and response addresses



  • I'm looking for help on how to monitor not just the requested DNS FQDN and returned address lists, but also the IP of the client who requested them.

    Can't seem to isolate the client-level detail from resolver.log.

    I've tried setting unbound resolver's log level in advanced settings from Level 1: Basic operational information to either
    Level 3: Query Level information
    or
    Level 5: Client Identification for cache misses
    but can't seem to parse out the detail I'd expect.

    Ideally, I'd like to get the following fields out via telegraf to an InfluxDB data store for reporting in Grafana:
    <datetime>,<clientIP>,<requestedFQDN>,<responseIPsArray>,<RTT>

    Turning on Level 5 debugging for unbound seems a VERY heavy-handed way to get this detail (if the above fields can actually be parsed from that properly).

    Didn't see any obvious detail on the actual client making the request.
    e.g.

    Jul 13 14:36:37	unbound	18436:0	debug: iter_handle processing q with state QUERY RESPONSE STATE
    Jul 13 14:36:37	unbound	18436:0	info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: qr aa ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ns2.megaservers-dns.de. IN A ;; ANSWER SECTION: ns2.megaservers-dns.de. 86400 IN A 185.107.192.199 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; MSG SIZE rcvd: 56
    

    What's the recommended way to get this info?

    pfSense 2.4.5p1,
    Thanks,
    -Fabrizio


  • Rebel Alliance Developer Netgate

    Did you enable query logging in the DNS resolver advanced options?

    server:
    log-queries: yes
    


  • @jimp said in Logging DNS Requests - client IP, requested FQDN, and response addresses:

    server:
    log-queries: yes

    Not sure where this is documented but I have been looking for this option for a few years now. This works. It is however not under advanced options -tab, rather under general settings -tab and custom options.



  • @tsmalmbe said in Logging DNS Requests - client IP, requested FQDN, and response addresses:

    Not sure where this is documented but I have been looking for this option for a few years now.

    The unbound conf manual.

    See here : https://nlnetlabs.nl/documentation/unbound/unbound.conf/ and fast forward to "log-queries".
    The option isn't accessible with the GUI? so use the custom option box, where you can set what you want as long as the syntax is ok.

    As said in the documentation : this will probably a create lot of log info that over writes itself very fast -> make the logs files bigger or huge.



  • Thanks everyone.

    current unbound logging volume makes getting this detail via log analysis a no-go solution, at least not without a scripted cron-based solution that would parse and store the interested metrics and then purge the log. May look at something like this at some point, but no time for this development work now.

    It would really be nice to be able to see the following detail along with the DNS Cache Speed metrics:

    • count of distinct clients that have hits for each cache entry

    • hit counts over time per client per cache entry along with the initial FQDN requested per client that correlates to the cache record.


Log in to reply