logs with client IPs in Unbound

nycaleksey · October 31, 2017, 03:23:17 PM

Does anyone know if it is possible to have unbound log the client IP for every request it receives?

bartjsmit · October 31, 2017, 06:32:17 PM

You can look at the firewall logs for incoming traffic on port 53. For further analysis (i.e. Splunk) you can forward your logs to an external server.

Bart...

nycaleksey · October 31, 2017, 09:39:37 PM

Bart,

Yes, of course I can forward the logs if I have them. The problem is that Unbound does not seem to have an option to have the IP address of the client sending the query logged unless a very chatty debug is enabled.
I can probably have something analyze network traffic and keep a log of DNS queries from there, but to me a nameserver process seems like a lot more appropriate source of this data.

NilsS · October 31, 2017, 09:55:18 PM

Have you tried.

log-queries: <yes or no>
Prints one line per query to the log, with the log timestamp and
IP address, name, type and class. Default is no. Note that it
takes time to print these lines which makes the server (signifi-
cantly) slower. Odd (nonprintable) characters in names are
printed as '?'.

bartjsmit · October 31, 2017, 10:23:03 PM

If you have an explicit rule for TCP/UDP 53 then all DNS requests from your network will end up in the firewall logs, complete with source IP. This will have a 1:1 relationship to the requests to unbound.

Bart...

logs with client IPs in Unbound

nycaleksey

October 31, 2017, 03:23:17 PM

bartjsmit

October 31, 2017, 06:32:17 PM #1

nycaleksey

October 31, 2017, 09:39:37 PM #2

NilsS

October 31, 2017, 09:55:18 PM #3

bartjsmit

October 31, 2017, 10:23:03 PM #4