[dns-operations] [Ext] Nameserver responses from different IP than destination of request
Thomas Mieslinger
miesi at mail.com
Wed Sep 2 07:38:22 UTC 2020
On 9/1/20 9:15 PM, Andreas Ott wrote:
> On Mon, Aug 31, 2020 at 8:00 PM P Vixie <paul at redbarn.org
> <mailto:paul at redbarn.org>> wrote:
> [...] the observation that something
>
> bad is not happening to somebody doesn't mean it's not happening to
> anybody.
>
> May I please ask an operational question to experts: though I am only
> running a small number of authoritative and recursive servers, I am
> coming up short looking up what logging I need to turn on in BIND 9.16
> and what logged strings I need to parse out to see responses coming from
> a different IP? I have various log channels enabled per the BIND logging
> "FAQ" but either I am missing config bits or the problem does not occur
> (on my servers). This is in a network lab setup and I am able to share data.
I don't think this is implemented in a way need for this kind of
analysis in any recursive dns software.
I have chosen to do dnscap on the interface with outgoing traffic and
may do correlation of request/reponses based on qname/qtype and look for
mismatches in dst ip/src ip afterwards.
Another option that comes to my mind is to tweak/reuse the collectd dns
plugin which also opens the packetflow on a configurable interface with
libpcap and may be able to do some online data correlation.
Just my 5¢
Thomas
More information about the dns-operations
mailing list