On 9/1/20 9:15 PM, Andreas Ott wrote:
On Mon, Aug 31, 2020 at 8:00 PM P Vixie <[email protected] <mailto:[email protected]>> wrote: [...] the observation that somethingbad is not happening to somebody doesn't mean it's not happening to anybody. May I please ask an operational question to experts: though I am only running a small number of authoritative and recursive servers, I am coming up short looking up what logging I need to turn on in BIND 9.16 and what logged strings I need to parse out to see responses coming from a different IP? I have various log channels enabled per the BIND logging "FAQ" but either I am missing config bits or the problem does not occur (on my servers). This is in a network lab setup and I am able to share data.
I don't think this is implemented in a way need for this kind of analysis in any recursive dns software. I have chosen to do dnscap on the interface with outgoing traffic and may do correlation of request/reponses based on qname/qtype and look for mismatches in dst ip/src ip afterwards. Another option that comes to my mind is to tweak/reuse the collectd dns plugin which also opens the packetflow on a configurable interface with libpcap and may be able to do some online data correlation. Just my 5¢ Thomas _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
