DNS traffic tracking
Petr Špaček
pspacek at isc.org
Mon May 9 10:47:25 UTC 2022
On 09. 05. 22 12:06, Alex K wrote:
> Hi Greg,
>
> On Mon, May 9, 2022 at 11:17 AM Greg Choules
> <gregchoules+bindusers at googlemail.com
> <mailto:gregchoules%2Bbindusers at googlemail.com>> wrote:
>
> Hi Alex.
> Your use case may be very different to the one I faced in my
> previous job. But there we did not and could not charge for DNS. It
> was seen as a necessary but free resource.
> If you *really* want to account for how many queries clients are
> making, a quick and dirty solution is enabling querylog, BUT be
> warned it causes a lot more load on the system. The better tool
> would be DNStap.
>
> I would rather prefer to avoid enabling query logs. One other thing I
> was thining is to just see if bind9 logs the cache hit ratio in the
> stats and use that as as rough coefficient for the internal client
> traffic accounting.
There is bunch of data available in the statistics channel:
https://bind9.readthedocs.io/en/latest/reference.html#statistics-counters
Beware:
It might give you only a very rough estimate, like, "is cache hit rate
on average 0, 1/10, 1/2, or 9/10".
It is good enough to detect that a client engaged in a random subdomain
attacks and you need to look into traffic, but that's about it.
--
Petr Špaček
More information about the bind-users
mailing list