> On 17 Sep 2024, at 22:39, Bischof, Ralph F. (MSFC-IS64)[AEGIS] via bind-users > <bind-users@lists.isc.org> wrote: > > <!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 > 2px solid; } --> Hello, > BIND 9.18.7 > RHEL 8.10 (Oopta) > I am being asked if it is possible to differentiate the percentage of > queries coming into a server that are unencrypted, DoT and DoH. > Example: For a given 24 hours, 50% were 53, 25% were 853 and 25% were 443. > I cannot find a difference in the query logs to show how the query came into > the server. My only thought at the moment is to run ‘tcpdump’ on all of the > servers and script something. > Is there some way that I just have not found within BIND?
You can use the awesome Dnstap for that. Much better than using pcap because it provides context. For the CLIENT_QUERY and CLIENT_RESPONSE messages. the response_port field will give you that data per query. Note that your mileage might vary if you use other DNS servers. As far as I know Bind has the most comprehensive Dnstap implementation by far. Cheers, Borja.
signature.asc
Description: Message signed with OpenPGP
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users