DNS traffic tracking
Alex K
rightkicktech at gmail.com
Wed May 11 07:46:45 UTC 2022
On Mon, May 9, 2022 at 7:27 PM Fred Morris <m3047 at m3047.net> wrote:
> On Mon, 9 May 2022, Alex K wrote:
> > [...]
> > The problem now is that I see sometime 700MB of DNS traffic for 2GB of
> > Internet browsing within one month.
>
> That's an eyebrow raiser. Tunneling, antivirus (or some other database
> using DNS as a key+value store), CDN? IoT fleet? Then comes the inevitable
> "...or traffic you don't want".
>
> Not clear on where the expensive link sits (between the caching resolver
> and clients, or between the caching resolver and the rest of the
> internet). Not sure what you're able to do politically or where things
> like privacy or "net neutrality" come into play, but it does seem to me
> that not burning precious bandwidth for ads might be a value-added
> service... if they're really watching cat videos.
>
The setup is edge device where a caching DNS server runs and where the
users are serviced -> satellite -> upstream DNS servers that can be either
public ones or my second level of caching DNS server depending on the
setup. The expensive link is from the edge device to the next hop which is
through satellite, and depending on the satellite type may have low
allowance on the monthly traffic (4GB to 8GB max)
>
> I second the comment that Dnstap might be your best friend.
>
> There are technical considerations, but I think generally this is veering
> into the realm of what's possible (which is seldom actually technical);
> this includes your means and ability to analyze the DNS traffic. If you
> want to discuss further feel free to email me.
>
> Thanx for all the feedback. I will need to drill down and see what kind of
DNS traffic is that then perhaps implement some more secure firewalling
(find a way to block VPN over DNS) and rate limiting.
I was also thinking perhaps to have a preloaded RPZ list that will block
malware domains at the caching DNS server at the edge.
> --
>
> Fred Morris, internet plumber
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220511/72dfeaed/attachment-0001.htm>
More information about the bind-users
mailing list