DNS traffic tracking

[Petr Špaček]

On 06. 05. 22 17:02, Alex K wrote:
> Hi all,
> 
> I have the following problem: I run a caching dns server using bind9 
> v9.10.3 in a gateway device which it serves several internal LAN IP 
> addresses (clients). I am doing some traffic accounting in the gateway 
> device using Linux conntrack so as to calculate the generated client 
> traffic (mostly HTTP/HTTPs related, in/out) so as to charge the volume 
> consumed.
> 
> What I cannot charge is the actual DNS traffic that each client is 
> generating, since each client DNS request is actually two sessions, one 
> between client and gateway device and the other between gateway and 
> upstream DNS servers. It seems to me not fare to charge the traffic 
> observed between the client and the gateway since the internal DNS 
> traffic includes cached responses and may be much higher from the actual 
> DNS traffic observed on the WAN side (gateway - upstream).
> 
> I was wondering if there is a solution to this. If bind9 has any feature 
> that can be used to track the WAN DNS traffic and understand from which 
> client was first requested/generated. In this way I will be able to 
> differentiate the DNS traffic per client and avoid accounting DNS 
> traffic that the gateway generated for its own services.

It cannot be done because there is no 1:1 mapping between client and 
authoritative side of BIND. Multiple client queries might be solved by a 
single query to authoritative side, or a single query might cause 
multiple interrelated queries.

If money are involved then I say "don't even try": All reasonable 
solutions will cause either overcharging or undercharging, which is not 
only objectionable but also possibly illegal.

Out of curiosity, is the amount of traffic so large it is worth 
considering it? Compared to all the YouTube videos? :-)

-- 
Petr Špaček