Hi Brent

On Mon, Oct 23, 2017 at 06:37:51PM +0000, Brent Bice via RT wrote:
>     Hey guys. I was checking out the CSUBNET option in EDNS0 options and 
> thought "Aha! Just what I need to figure out what client IP hit one of 
> my DNS filters". But I don't see any way to get named to log not just 
> the client IP and the query, but also what CSUBNET shows up in the EDNS 
> options. Is this possible?
> 
> 
>     Here's why I'm thinking this would be good. At my $DAYJOB I've setup 
> filtering DNS proxies for the company to use but there's a bunch of 
> departmental DNS servers too, whose logs I don't have access to (and 
> they probably don't log queries anyway). So when I see a bunch of hits 
> on the DNS filters (ie, a bunch of pseudo-random hostnames used in some 
> BOT C&C stuff, and I try to determine which client system is making the 
> queries, sometimes the IP I see in the logs is some other departmental 
> DNS server instead of the originating IP. I was thinking perhaps I could 
> get that info from the CSUBNET part of the EDNS0 options fields. But I'm 
> guessing they don't get logged anywhere?
> 
>     Anyway, if it's not already a feature, it might be a useful feature 
> to have.

This was previously implemented in:

4566.   [func]          Query logging now includes the ECS option if one
                        was included in the query. [RT #44476]

You should be able to try this in the 9.12.0 beta (and future 9.12.0
stable release). It has not been backported to 9.11 and below as it
updates the query log message.

		Mukund