OPNsense Forum

English Forums => General Discussion => Topic started by: nycaleksey on October 31, 2017, 03:23:17 pm

Title: logs with client IPs in Unbound
Post by: nycaleksey on October 31, 2017, 03:23:17 pm
Does anyone know if it is possible to have unbound log the client IP for every request it receives?
Title: Re: logs with client IPs in Unbound
Post by: bartjsmit on October 31, 2017, 06:32:17 pm
You can look at the firewall logs for incoming traffic on port 53. For further analysis (i.e. Splunk) you can forward your logs to an external server.

Bart...
Title: Re: logs with client IPs in Unbound
Post by: nycaleksey on October 31, 2017, 09:39:37 pm
Bart,

Yes, of course I can forward the logs if I have them. The problem is that Unbound does not seem to have an option to have the IP address of the client sending the query logged unless a very chatty debug is enabled.
I can probably have something analyze network traffic and keep a log of DNS queries from there, but to me a nameserver process seems like a lot more appropriate source of this data.
Title: Re: logs with client IPs in Unbound
Post by: NilsS on October 31, 2017, 09:55:18 pm
Have you tried.

log-queries: <yes or no>
              Prints one line per query to the log, with the log timestamp and
              IP address, name, type and class.  Default is no.  Note that  it
              takes time to print these lines which makes the server (signifi-
              cantly) slower.  Odd  (nonprintable)  characters  in  names  are
              printed as '?'.
Title: Re: logs with client IPs in Unbound
Post by: bartjsmit on October 31, 2017, 10:23:03 pm
If you have an explicit rule for TCP/UDP 53 then all DNS requests from your network will end up in the firewall logs, complete with source IP. This will have a 1:1 relationship to the requests to unbound.

Bart...