Getting RPZ statistics

John Hascall john at iastate.edu
Fri Dec 7 23:17:47 UTC 2012 

We point our DNS-RPZ records at a server ("here-be-dragons")
that records connections at that point.  Also the webserver
listening there sends back either and image or javascript+html
which explains to the user the reason they are not seeing the
webpage they expect.

The web server gives us a convenient way to gather statistics
on which client machines are attempting to access which
"bad hosts".

One of the stats we generate each night is the ten machines
which accessed the here-be-dragons server the most, which we
send to the help desk so they can let the person know their
machine is probably infected with malware.

John
-------------------------------------------------------------------------------
John Hascall, john at iastate.edu
Team Lead, NIADS (Network Infrastructure, Authentication & Directory Services)
IT Services, The Iowa State University of Science and Technology

> --===============6413295337217726361==
> Content-Language: en-US
> Content-Type: multipart/alternative;
> 	boundary="_000_0601178566817C499DF95E59CF72205D853A4DUTCMBX2utctenness_
"
> 
> --_000_0601178566817C499DF95E59CF72205D853A4DUTCMBX2utctenness_
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> 
> I recently (as of 2 days ago) enabled RPZ on all of my name servers.  I cur=
> rently use "rndc stats", perl, and SNMP to make certain global stats availa=
> ble to our network monitoring system to make charts (number of queries acro=
> ss all views and such).  I'd like to do the same for just the RPZ zone so I=
>  can get an idea of how many queries are getting handled by RPZ itself.
> 
> I added "zone-statistics yes;" to the RPZ zone, and the statistics file sho=
> wed the header for that zone, but then there were no stats there.  I enable=
> d the zone-statistics for a "regular" zone and it provided stats as expecte=
> d.  Here's what my stats file looks like with zone-statistics enabled in th=
> e RPZ zone and one other zone for comparison.
> 
> ++ Per Zone Query Statistics ++
> [utc.edu (view: view1)]
>                   3 queries resulted in successful answer
>                   9 queries resulted in authoritative answer
>                   2 queries resulted in nxrrset
>                   4 queries resulted in NXDOMAIN
> [rpz (view: view2)]
> [rpz (view: view1)]
> 
> My assumption is that since the RPZ zone is "special" it therefore can't ke=
> ep track of stats.  Is this the case or am I overlooking something obvious?
> 
> I guess I could CNAME all the RPZ records to a single host in a separate do=
> main and then do zone-statistics on that one zone, but that's kinda dirty.
> 
> -Christopher
> 
> 
> --_000_0601178566817C499DF95E59CF72205D853A4DUTCMBX2utctenness_
> Content-Type: text/html; charset="us-ascii"
> Content-ID: <65511FA01BDC6743BBA57A4C6B520869 at mail.tennessee.edu>
> Content-Transfer-Encoding: quoted-printable
> 
> <html>
> <head>
> <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
> >
> </head>
> <body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-lin=
> e-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-fami=
> ly: Calibri, sans-serif; ">
> <div>I recently (as of 2 days ago) enabled RPZ on all of my name servers. &=
> nbsp;I currently use "rndc stats", perl, and SNMP to make certain=
>  global stats available to our network monitoring system to make charts (nu=
> mber of queries across all views and such).  I'd
>  like to do the same for just the RPZ zone so I can get an idea of how many=
>  queries are getting handled by RPZ itself.</div>
> <div>
> <div><br>
> </div>
> <div>I added "zone-statistics yes;" to the RPZ zone, and the stat=
> istics file showed the header for that zone, but then there were no stats t=
> here.  I enabled the zone-statistics for a "regular" zone an=
> d it provided stats as expected.  Here's what my stats file
>  looks like with zone-statistics enabled in the RPZ zone and one other zone=
>  for comparison.</div>
> <div><br>
> </div>
> <div>
> <div>++ Per Zone Query Statistics ++</div>
> <div>[utc.edu (view: view1)]</div>
> <div>                  3 queri=
> es resulted in successful answer</div>
> <div>                  9 queri=
> es resulted in authoritative answer</div>
> <div>                  2 queri=
> es resulted in nxrrset</div>
> <div>                  4 queri=
> es resulted in NXDOMAIN</div>
> <div>[rpz (view: view2)]</div>
> <div>[rpz (view: view1)]</div>
> </div>
> <div><br>
> </div>
> <div>My assumption is that since the RPZ zone is "special" it the=
> refore can't keep track of stats.  Is this the case or am I overlookin=
> g something obvious?</div>
> <div><br>
> </div>
> <div>I guess I could CNAME all the RPZ records to a single host in a separa=
> te domain and then do zone-statistics on that one zone, but that's kinda di=
> rty.</div>
> <div><br>
> </div>
> <div>-Christopher</div>
> <br>
> </div>
> </body>
> </html>
> 
> --_000_0601178566817C499DF95E59CF72205D853A4DUTCMBX2utctenness_--
> 
> --===============6413295337217726361==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
 from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============6413295337217726361==--
>

More information about the bind-users mailing list