Logging DNS Requests - client IP, requested FQDN, and response addresses
I'm looking for help on how to monitor not just the requested DNS FQDN and returned address lists, but also the IP of the client who requested them.
Can't seem to isolate the client-level detail from resolver.log.
I've tried setting unbound resolver's log level in advanced settings from Level 1: Basic operational information to either
Level 3: Query Level information
Level 5: Client Identification for cache misses
but can't seem to parse out the detail I'd expect.
Ideally, I'd like to get the following fields out via telegraf to an InfluxDB data store for reporting in Grafana:
Turning on Level 5 debugging for unbound seems a VERY heavy-handed way to get this detail (if the above fields can actually be parsed from that properly).
Didn't see any obvious detail on the actual client making the request.
Jul 13 14:36:37 unbound 18436:0 debug: iter_handle processing q with state QUERY RESPONSE STATE Jul 13 14:36:37 unbound 18436:0 info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: qr aa ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ns2.megaservers-dns.de. IN A ;; ANSWER SECTION: ns2.megaservers-dns.de. 86400 IN A 220.127.116.11 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; MSG SIZE rcvd: 56
What's the recommended way to get this info?
Did you enable query logging in the DNS resolver advanced options?
server: log-queries: yes
Not sure where this is documented but I have been looking for this option for a few years now. This works. It is however not under advanced options -tab, rather under general settings -tab and custom options.
Gertjan last edited by
Not sure where this is documented but I have been looking for this option for a few years now.
The unbound conf manual.
See here : https://nlnetlabs.nl/documentation/unbound/unbound.conf/ and fast forward to "log-queries".
The option isn't accessible with the GUI? so use the custom option box, where you can set what you want as long as the syntax is ok.
As said in the documentation : this will probably a create lot of log info that over writes itself very fast -> make the logs files bigger or huge.
current unbound logging volume makes getting this detail via log analysis a no-go solution, at least not without a scripted cron-based solution that would parse and store the interested metrics and then purge the log. May look at something like this at some point, but no time for this development work now.
It would really be nice to be able to see the following detail along with the DNS Cache Speed metrics:
count of distinct clients that have hits for each cache entry
hit counts over time per client per cache entry along with the initial FQDN requested per client that correlates to the cache record.