subject:"getting answers from DNS queries"

Re: getting answers from DNS queries

2022-05-03 Thread Dave Warren


On 2022-05-03 06:31, Gaurav Kansal wrote:

Yup. But if the DNS infra is under my control, then definitely the keys (which 
i have used for encryption) will also be with me. Am i missing something here ? 
類


I'll see your privacy keys and raise you Perfect Forward Secrecy. 
Although I'm not really sure if PFS is implemented anywhere in the DNS 
world at this point, except possibly DoH.

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: getting answers from DNS queries

2022-05-03 Thread Ondřej Surý

> On 3. 5. 2022, at 14:31, Gaurav Kansal  wrote:
> 
> Yup. But if the DNS infra is under my control, then definitely the keys 
> (which i have used for encryption) will also be with me. Am i missing 
> something here ? 類

Then you need to make the private keys available to the monitoring software.

Also monitoring DNS traffic on the mirror doesn’t tell you anything **how** the 
DNS server sees the queries, so dnstap is going to be better solution for most 
deployments.

Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

signature.asc
Description: Message signed with OpenPGP
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: getting answers from DNS queries

2022-05-03 Thread Gaurav Kansal

Yup. But if the DNS infra is under my control, then definitely the keys (which 
i have used for encryption) will also be with me. Am i missing something here ? 
類

—
Gaurav Kansal

> On 03-May-2022, at 14:40, Petr Špaček  wrote:
> 
> On 03. 05. 22 10:56, Gaurav Kansal wrote:
>> Or if you are ready to take some pain, then take the mirror from the network 
>> side, parse the packets and you can achieve whaterver you want to do, build 
>> beautiful graphs, have reports and what not.
>> This will also help in reducing the load on your DNS node by disabling the 
>> logging completely and you can achieve high QPS.
>> One such tool which can do all for you is dnsmonster - 
>> https://github.com/mosajjal/dnsmonster 
>>  . Just send mirror traffic to this 
>> and it will do everything for you.
> The major problem with packet mirroring and parsing is that it is unusable 
> for encrypted transports. For that very reason I think dnstap is the way to 
> go.
> 
> -- 
> Petr Špaček
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: getting answers from DNS queries

2022-05-03 Thread Petr Špaček


On 03. 05. 22 10:56, Gaurav Kansal wrote:
Or if you are ready to take some pain, then take the mirror from the 
network side, parse the packets and you can achieve whaterver you want 
to do, build beautiful graphs, have reports and what not.
This will also help in reducing the load on your DNS node by disabling 
the logging completely and you can achieve high QPS.


One such tool which can do all for you is dnsmonster - 
https://github.com/mosajjal/dnsmonster 
 . Just send mirror traffic to 
this and it will do everything for you.
The major problem with packet mirroring and parsing is that it is 
unusable for encrypted transports. For that very reason I think dnstap 
is the way to go.


--
Petr Špaček
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: getting answers from DNS queries

2022-05-03 Thread Gaurav Kansal

Or if you are ready to take some pain, then take the mirror from the network 
side, parse the packets and you can achieve whaterver you want to do, build 
beautiful graphs, have reports and what not.
This will also help in reducing the load on your DNS node by disabling the 
logging completely and you can achieve high QPS.

One such tool which can do all for you is dnsmonster - 
https://github.com/mosajjal/dnsmonster  
. Just send mirror traffic to this and it will do everything for you.

Thanks,
Gaurav Kansal


> On 25-Apr-2022, at 22:15, m3...@m3047.net wrote:
> 
> More specificity would help. OTOH you mentioned the word "compile"...
> 
> On Mon, 25 Apr 2022, King, Harold Clyde (Hal) via bind-users wrote:
>> I asked this last week, but I didn't an answer. Who can I tell if a DNS 
>> query is refused or answered? Is it in the log files?
> 
> Not the latest version of BIND (9.12), but here's what I get in the log:
> 
> 25-Apr-2022 06:54:33.353 debug 2: fetch completed at resolver.c:4176 for 
> time.nist.gov/A in 10.000446: timed out/success 
> [domain:nist.gov,referral:0,restart:1,qrysent:4,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
> 25-Apr-2022 06:56:21.593 debug 2: fetch completed at resolver.c:4176 for 
> time.nist.gov/A in 10.000430: timed out/success 
> [domain:nist.gov,referral:0,restart:2,qrysent:10,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
> 
> Here's the config for that:
> 
>// Must start named with -d 2 for this to be activated,
>// otherwise it's just silent.
>channel queryerrors {
>file "bind-query-errors.log" versions 2 size 20m;
>severity debug 2;
>print-category no;
>print-severity yes;
>print-time yes;
>};
> 
> I would expect the information you seek to be available via Dnstap.
> 
> --
> 
> Fred Morris, internet plumber
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: getting answers from DNS queries

2022-04-25 Thread Fred Morris


More specificity would help. OTOH you mentioned the word "compile"...

On Mon, 25 Apr 2022, King, Harold Clyde (Hal) via bind-users wrote:
I asked this last week, but I didn't an answer. Who can I tell if a DNS 
query is refused or answered? Is it in the log files?


Not the latest version of BIND (9.12), but here's what I get in the log:

25-Apr-2022 06:54:33.353 debug 2: fetch completed at resolver.c:4176 for 
time.nist.gov/A in 10.000446: timed out/success 
[domain:nist.gov,referral:0,restart:1,qrysent:4,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
25-Apr-2022 06:56:21.593 debug 2: fetch completed at resolver.c:4176 for 
time.nist.gov/A in 10.000430: timed out/success 
[domain:nist.gov,referral:0,restart:2,qrysent:10,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]


Here's the config for that:

// Must start named with -d 2 for this to be activated,
// otherwise it's just silent.
channel queryerrors {
file "bind-query-errors.log" versions 2 size 20m;
severity debug 2;
print-category no;
print-severity yes;
print-time yes;
};

I would expect the information you seek to be available via Dnstap.

--

Fred Morris, internet plumber

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: getting answers from DNS queries

2022-04-25 Thread Ondřej Surý

That’s much better - you should search for dnstap, initial pointer might be:

https://kb.isc.org/docs/aa-01342

Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 25. 4. 2022, at 17:27, King, Harold Clyde (Hal)  wrote:
> 
> That's fair. I can see queries come into my DNS server, but I can't find 
> answers to thoughts queries. I have an RPZ zone and I get a log file that 
> says PASSTHROUGH or NXDOMAIN. That tells me that the request was served or 
> denied. I want something that will tell me the answer to each query. I have 
> my server set to denied requests for recursion. So I know those will be 
> denied, I want that for every query. I compile each new release and use that 
> for production. Is there something I can set at compile-time? Perhaps I add 
> an option to the logging statement? I kinda lost my google-fu on this one and 
> I really am thankful to y'all for any help that you might have.
> 
> 
> --
> 
> Hal King  - h...@utk.edu
> Systems Administrator
> Office of Information Technology
> Shared Services
> 
> The University of Tennessee
> 103c5 Kingston Pike Building
> 2309 Kingston Pk. Knoxville, TN 37996
> Phone: 974-1599
> 
> 
> From: Ondřej Surý
> Sent: Monday, April 25, 2022 10:37 AM
> To: King, Harold Clyde (Hal)
> Cc: bind-users
> Subject: Re: getting answers from DNS queries
> 
> > I asked this last week, but I didn't an answer.
> 
> Probably because I still don’t know what you mean. You need to better
> articulate your problem and your question.
> 
> Ondrej
> --
> Ondřej Surý (He/Him)
> ond...@isc.org
> 
> My working hours and your working hours may be different. Please do not feel 
> obligated to reply outside your normal working hours.
> 
> > On 25. 4. 2022, at 16:11, King, Harold Clyde (Hal) via bind-users 
> >  wrote:
> >
> > I asked this last week, but I didn't an answer. Who can I tell if a DNS 
> > query is refused or answered? Is it in the log files? Can a compile-time 
> > option help me access it? Sorry to repeat but I really need to know this.
> >
> > Thank in advance.
> >
> >
> > --
> >
> > Hal King  - h...@utk.edu
> > Systems Administrator
> > Office of Information Technology
> > Shared Services
> >
> > The University of Tennessee
> > 103c5 Kingston Pike Building
> > 2309 Kingston Pk. Knoxville, TN 37996
> > Phone: 974-1599
> > 
> > --
> > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> > this list
> >
> > ISC funds the development of this software with paid support subscriptions. 
> > Contact us at https://www.isc.org/contact/ for more information.
> >
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users



signature.asc
Description: Message signed with OpenPGP
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: getting answers from DNS queries

2022-04-25 Thread King, Harold Clyde (Hal) via bind-users

That's fair. I can see queries come into my DNS server, but I can't find 
answers to thoughts queries. I have an RPZ zone and I get a log file that says 
PASSTHROUGH or NXDOMAIN. That tells me that the request was served or denied. I 
want something that will tell me the answer to each query. I have my server set 
to denied requests for recursion. So I know those will be denied, I want that 
for every query. I compile each new release and use that for production. Is 
there something I can set at compile-time? Perhaps I add an option to the 
logging statement? I kinda lost my google-fu on this one and I really am 
thankful to y'all for any help that you might have.

--

Hal King  - h...@utk.edu
Systems Administrator
Office of Information Technology
Shared Services

The University of Tennessee
103c5 Kingston Pike Building
2309 Kingston Pk. Knoxville, TN 37996
Phone: 974-1599
[cid:f96c691b-14fb-43c3-81bb-27c0801dd170]

From: Ondřej Surý
Sent: Monday, April 25, 2022 10:37 AM
To: King, Harold Clyde (Hal)
Cc: bind-users
Subject: Re: getting answers from DNS queries

> I asked this last week, but I didn't an answer.

Probably because I still don’t know what you mean. You need to better
articulate your problem and your question.

Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 25. 4. 2022, at 16:11, King, Harold Clyde (Hal) via bind-users 
>  wrote:
>
> I asked this last week, but I didn't an answer. Who can I tell if a DNS query 
> is refused or answered? Is it in the log files? Can a compile-time option 
> help me access it? Sorry to repeat but I really need to know this.
>
> Thank in advance.
>
>
> --
>
> Hal King  - h...@utk.edu
> Systems Administrator
> Office of Information Technology
> Shared Services
>
> The University of Tennessee
> 103c5 Kingston Pike Building
> 2309 Kingston Pk. Knoxville, TN 37996
> Phone: 974-1599
> 
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
>
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: getting answers from DNS queries

2022-04-25 Thread Peter Coghlan

>
> I asked this last week, but I didn't an answer. Who can I tell if a DNS
> query is refused or answered? Is it in the log files? Can a compile-time
> option help me access it? Sorry to repeat but I really need to know this.
>
> Thank in advance.
>

Hi Hal,

I saw at least one reply to your query on the mailing list.  However, I
don't think it really answered your question.

I also sent you a private email reply which you don't appear to have seen.
Maybe check if anything has been stopped by an antispam system?

My experience is there is little interest here in dealing with the subject
of malicious, bogus queries etc.

Regards,
Peter Coghlan.

>
> --
> 
> Hal King  - h...@utk.edu
> Systems Administrator
> Office of Information Technology
> Shared Services
> 
> The University of Tennessee
> 103c5 Kingston Pike Building
> 2309 Kingston Pk. Knoxville, TN 37996
> Phone: 974-1599
> [cid:00350bec-9764-4740-8d61-e8bec49334bc]
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: getting answers from DNS queries

2022-04-25 Thread Ondřej Surý

> I asked this last week, but I didn't an answer.

Probably because I still don’t know what you mean. You need to better
articulate your problem and your question.

Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

> On 25. 4. 2022, at 16:11, King, Harold Clyde (Hal) via bind-users 
>  wrote:
> 
> I asked this last week, but I didn't an answer. Who can I tell if a DNS query 
> is refused or answered? Is it in the log files? Can a compile-time option 
> help me access it? Sorry to repeat but I really need to know this.
> 
> Thank in advance.
> 
> 
> --
> 
> Hal King  - h...@utk.edu
> Systems Administrator
> Office of Information Technology
> Shared Services
> 
> The University of Tennessee
> 103c5 Kingston Pike Building
> 2309 Kingston Pk. Knoxville, TN 37996
> Phone: 974-1599
> 
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



signature.asc
Description: Message signed with OpenPGP
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

getting answers from DNS queries

2022-04-25 Thread King, Harold Clyde (Hal) via bind-users

I asked this last week, but I didn't an answer. Who can I tell if a DNS query 
is refused or answered? Is it in the log files? Can a compile-time option help 
me access it? Sorry to repeat but I really need to know this.

Thank in advance.


--

Hal King  - h...@utk.edu
Systems Administrator
Office of Information Technology
Shared Services

The University of Tennessee
103c5 Kingston Pike Building
2309 Kingston Pk. Knoxville, TN 37996
Phone: 974-1599
[cid:00350bec-9764-4740-8d61-e8bec49334bc]
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: getting answers from DNS queries

Re: getting answers from DNS queries

Re: getting answers from DNS queries

Re: getting answers from DNS queries

Re: getting answers from DNS queries

Re: getting answers from DNS queries

Re: getting answers from DNS queries

Re: getting answers from DNS queries

Re: getting answers from DNS queries

Re: getting answers from DNS queries

getting answers from DNS queries

11 matches

Site Navigation

Mail list logo

Footer information