X-MS-Exchange-Crosstenant-Network-Message-ID: a96cd3cd-9244-4334-0936-08d51a45237d Received-SPF: None (protection.outlook.com: hpe.com does not designate permitted sender hosts) X-Exchange-Antispam-Report-Cfa-Test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(93006095)(93001095)(100000703101)(100105400095)(10201501046)(3231020)(3002001)(6055026)(6041248)(20161123564025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123558100)(20161123562025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:TU4PR84MB0077;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:TU4PR84MB0077; MIME-Version: 1.0 Return-Path: From brent.bice@hpe.com Mon Oct 23 18:37:48 2017 X-Clientproxiedby: CY4PR1101CA0004.namprd11.prod.outlook.com (10.172.74.142) To TU4PR84MB0077.NAMPRD84.PROD.OUTLOOK.COM (10.162.186.155) X-MS-Office365-Filtering-HT: Tenant Delivered-To: bind9-public@bugs.isc.org X-MS-Exchange-Crosstenant-Fromentityheader: Hosted X-MS-Exchange-Crosstenant-Originalarrivaltime: 23 Oct 2017 18:37:38.8568 (UTC) X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10019020)(6009001)(6049001)(376002)(346002)(39860400002)(199003)(189002)(52314003)(8936002)(58126008)(101416001)(36756003)(478600001)(49976008)(16576012)(316002)(64126003)(106356001)(33646002)(2361001)(7736002)(2351001)(81156014)(25786009)(305945005)(81166006)(23676002)(53936002)(189998001)(105586002)(8676002)(3846002)(68736007)(6116002)(5660300001)(6486002)(3480700004)(50466002)(2870700001)(16526018)(6666003)(6916009)(65826007)(83506002)(65806001)(97736004)(47776003)(65956001)(7116003)(66066001)(31696002)(86362001)(50986999)(2906002)(54356999)(31686004)(78286006)(217873001);DIR:OUT;SFP:1102;SCL:1;SRVR:TU4PR84MB0077;H:[134.15.1.104];FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en; To: bind-suggest@isc.org Date: Mon, 23 Oct 2017 12:37:33 -0600 Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.pao1.isc.org", Issuer "COMODO RSA Organization Validation Secure Server CA" (not verified)) by bugs.isc.org (Postfix) with ESMTPS id D93E8D78B0A for ; Mon, 23 Oct 2017 18:37:48 +0000 (UTC) Received: from g2t2354.austin.hpe.com (g2t2354.austin.hpe.com [15.233.44.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id D878A3AB809 for ; Mon, 23 Oct 2017 18:37:42 +0000 (UTC) Received: from G2W6310.americas.hpqcorp.net (g2w6310.austin.hp.com [16.197.64.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by g2t2354.austin.hpe.com (Postfix) with ESMTPS id 9C561BA for ; Mon, 23 Oct 2017 18:37:41 +0000 (UTC) Received: from G9W8454.americas.hpqcorp.net (2002:10d8:a104::10d8:a104) by G2W6310.americas.hpqcorp.net (2002:10c5:4034::10c5:4034) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Mon, 23 Oct 2017 18:37:41 +0000 Received: from NAM01-BN3-obe.outbound.protection.outlook.com (15.241.52.13) by G9W8454.americas.hpqcorp.net (16.216.161.4) with Microsoft SMTP Server (TLS) id 15.0.1178.4 via Frontend Transport; Mon, 23 Oct 2017 18:37:40 +0000 Received: from [134.15.1.104] (192.48.179.6) by TU4PR84MB0077.NAMPRD84.PROD.OUTLOOK.COM (10.162.186.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.156.4; Mon, 23 Oct 2017 18:37:38 +0000 Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=brent.bice@hpe.com; Spamdiagnosticoutput: 1:99 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 X-RT-Incoming-Encryption: Not encrypted X-Spam-Status: No, score=-5.1 required=5.0 tests=RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H2,RP_MATCHES_RCVD autolearn=unavailable autolearn_force=no version=3.4.1 Content-Transfer-Encoding: 8bit Spamdiagnosticmetadata: NSPM X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mx.pao1.isc.org X-Original-To: bind9-public@bugs.isc.org X-MS-Exchange-Crosstenant-ID: 105b2061-b669-4b31-92ac-24d304d195dc Message-ID: <61fad2b6-b1c7-7f55-06d3-b0feda8c27fd@hpe.com> X-MS-Office365-Filtering-Correlation-ID: a96cd3cd-9244-4334-0936-08d51a45237d X-MS-Traffictypediagnostic: TU4PR84MB0077: X-Exchange-Antispam-Report-Test: UriScan:(158342451672863); Subject: EDNS CSUBNET logging Content-Language: en-US X-MS-Publictraffictype: Email content-type: text/plain; charset="utf-8"; format="flowed" X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001)(48565401081)(4534020)(4602075)(4627075)(201703031133081)(201702281549075)(2017052603199);SRVR:TU4PR84MB0077; X-Forefront-PRVS: 046985391D X-Microsoft-Antispam-PRVS: X-MS-Exchange-Transport-Crosstenantheadersstamped: TU4PR84MB0077 X-Originating-Ip: [192.48.179.6] X-Microsoft-Exchange-Diagnostics: 1;TU4PR84MB0077;3:2I5diiLuitY2koYxeDuLHQyd/9zlIHxIvH/knCMNQUVcg1fQg9nXfMfD0sLZ0XcvQx9wiNDYIiLVZ678ulHDzW5/rSQQxJX9+IbZ1DzhAnwQ+/b3h0b9aPMrrh1HOB4qpC7eeidcQZ0HuxSBAKIB42TXRS7VFF/dD5tfBItxPY0JWOCjJZKxbhnrZ9XjOGXTsbEX/v2vO+Chb9kPmk5jYYJyNQE7KCei7ylTKjAidxLPQUqK7yIO7RDhtlVw6uvS;25:GKimJ/W4Kht9V8aP+htYsDP+2Smsg48NW1UBABt4Yx7bskxOjOODwNQWGnKxXAeymdhnE3E+3NrywIIrBuM+H/Y9Kt3iaj5QTVMO/O4j5JQEzYjJY1/Yw/lf+ztdt2co1OCYGCrqVArCqX6Wxdmx3vWNQybCkG7thGohBfpA+Fqu4uwDKqJmCqRa97/zmtHRTkHqp5Ln8KfCA+8BqvgHuAQVzMtf+jEdvaNr5MLbVlje9QRNcUVekl2xerHnAfsDslWw0YdrC6z2kVc+CXV1c4NBQIGWF35r5WCuTgq7bN1cRWViWMkEQnWUMvdFR6AKLK8FuOT1Cy+GsPkGWXdw1za5CxViHg+Xs7kyc1y303g=;31:tUk7F+29ijXTD0UKfYJTCtIsOJGiI7+eDCduaWNBhr2Se22HjRE0T5iUnbVBAQ9jNN6YpLtnCxMe9wl2+wZL7iFhi88M1gaM78CPxoAj0QHivlRVVUJo2+t2vRARUZTvGBOYh29vASeyHAyC16xnPgPOtlK7wV2lBua+/bQzRYlxplI6J2SSSpBiDR4jMlE2UXvMgiC5hzU8r9XT+6vpt/0LxSOidHIaSXrwZICxKbE= X-Microsoft-Exchange-Diagnostics: 1;TU4PR84MB0077;20:dtQTm6I7fYaNl60n6zol4a+Oq39edLSEvMjWHYbbq7fJaOzlh1hNZV+y2uuIIgVPXs2NbdWRrECoxTKY84QH0atvo3cqfasng75kn6yOcA9fQ57htnW+/7ofYYVW1brNxWfseB3wqEwpo+066mem/IyFs550R++du7VFbjbqVMd2ZtCJySJk/ixofw/u09UVif4kBxirI3cOwblLbnhsliylh5fbM+IFfBVdqVaaeBzj0b1WKGb6c5IRg3cHkvXhUBQPoMs9Rh/A7WPVngRzLZxpQvdKnawVbEeQlWZ2piSzXXZdagpXjNMCPJHfVwwSM3ciARb7JnBMSIuEzZS+Ubvv97Z61LQOLS9P+qvdJ+pIGMXS2lEYWQDQHr7298utRxSCgsswjjNitWrZGnMm+phcV1Kz9tfD7mrNAAGhRcx51xjG7fSld76ywBr6Y9Bmk8xjOl5Zm/8xwFK9+994PpLLIFJjlUPwK6mC4ryq3tmSrsfR7FzjpXoXYVno21sU;4:PR+QlmHTcJFiaPueT2anpPmNOgH8atKpdYtnns6CHRsXX10VUcJrtxKPGG5XJz259/RITDGYnULf4omA+O8Id1tebqfpElvcgvi5BvRh767nM484/CGk7ZWxh59Q6bfQBuPl1XjV6GCeq7Aczb0iNt0/osKv5wcsc5h698xTB6oj98B22dAHzYx8ggQbUPiZMUrVoLgetE/fCvy3Yw3F5X0FiRV3q6jVpZLsGOAMP+wk2TsPppO1SDw+zXtcdvUgtfaHZcfMHZukoKfeBARmkYbDOWTZzb3CDbs44hoE7wk= X-Microsoft-Exchange-Diagnostics: 1;TU4PR84MB0077;23:4K1W1NQDmALlIz8N7YstaRN5HJv/w8eJFXlhtxrKmPcSh1ve0XSQhY74EjNoQmmWY8dv/ezYwAk7L6aCijqjq6v3ahWVveUSdcaCf3hXGxPYS2vCnQX7bnEmsd5C6t5A7Hfqa4o0mv94Ivi/cQIUxr+t05TBddtf4kmv+p1Kg3XQFbBUBCV4IQhyVMmkbv/Ui/KhGudqySMt8Xx8tlVEIXAy0b9JEY93o7q6b+++64JmtTo3PTzKJMrsRRjAt1kjLfC3g2++bYCHUm1K7eSMxV5B/Hcz9QlMB1/MDBDgXmVYJ2OD5jChG3q/mCZH3VrLujTSyn7s7F/4k+AodoiJ5Mb0fX0ecHVGJwn6nxsX4PTQmI1fPy1WL9oUTW3pVsx1vdLXFVoSyTU9Xx+/EjhRP7Nx+/EMvRQYWmwlgJPKG/vyOzMCKn/H4VDnJ38UhyhfnPOsEb0Z2Ztmf36btnHcN+dRlvw6eI7YPK2DKjpHejtcw1eA2LcnsOlgCsClraDuz06T4HxW79NBCZKrPoHeX7TRgjLarG6n7+PFxzdkgbRoDhOZ35547f2Uuo9b5CYV39GlaiFLMbJ8QkxnMZExTtoVNue1vcj2xjfYrjzNKkYW/YMTq6befDnewffE6N9o7aPB6OfcekiSVq4HGlrqxkKOBw6mTQw5Sc+V62HSkead0BzlbD26HpRzprzuIasezzbIGvZgcdbv+pgZweSt61GztMXUgfTU+1GWHe2EgUYOKxFyc3M86TUFgJOm6yU8bymsiTFqgAaS4xV9k75OlU5/idKH2v+AIAnDlNDXrXMOC2z/ZqI9vhhhKF98rBxzlMhQ9O7kkadKbX6U34/2IDcB2IKfvMdMyeE2XymMtpIP9Cj/40Z+WWUyh+qltksiSgwCVAXL7eKaKJe/D6UuN08OHxvNDKABxsmG/QxlTVaYhTNpmRsGH03R+iaqcsg3DMnW0zNgb/KQQta1Denidbu4H3C54scyXq0EhlolqC0AIXyEcSnX+mVN0zWdHfdrNI4lDNlSNHqitqK7jUXFnx6zvD7RYTLENTWRhRWg5Taq43bK2C5e1vG0YW+eURiu9alNKb/Aa7bHQYHykwvj14ZPnarBXHEQ+royVPFrw99m0UBnRKz/fqkQ2970lh4jrl9E0gbfsnQKQ01VivYyzy2hIaJ1VHUTHom/J2eZEy4ask8a+Xs17UM3gjKNKrg66PfhzczjsqWR/xGQ2pQt73KgoEXKo6WLVUWs/qboX7k9MDJKE8Fp9Dta+2KLogq2F/Zf5WejKfcBnLE71Zb23cMqtwo9ePQVwEwT8c0So6mbMbQtOCD63sE1/iB/wXgh X-Microsoft-Exchange-Diagnostics: 1;TU4PR84MB0077;6:GXvTKIJcb9CdATWZjXo79gAGNHViPoZASrjLLr3+ZYNa/TpvJveCv0VUb1mFecWXnzQLacfIXEVgqA7D3XDJcOVsI9t0rklWNi3BeN3Nyv/kEZkCTiNhispCoy5slCOZyUAcUYESlyt0DHn0YGi2lJdkHWV5LA/yEgmYdA1it2jviiQmaAAukkIgiEgpIe9zw2dgtZh15dY2gqS+mOxN2cY429nyRg35eg42W9PYmpWz9zeym+MhcvDMfkY77RuJoU33Q1otyWwF9CVPUYMkoFine5LXZlS7t0C4LQ1NANHbPqKfSYHnPa2R9nh9BaOcD+0D2OfmvY/VLEegq0I5Fw==;5:qZHV/3yh86fs5OFwVg5I5UbMGWW4l8syoxGjSGBvVvDPAGseT+VVfUeBIfQZJRhuIHEtUZcQwOXbMlT6diTiVRn34TJtVyIZj22RxqKwcMu3rOojlpO88pebe9Wn8QD1Vn+zRBfgRwr71915/AMpPw==;24:Ri2GMJ5Z/eR6/Qx4xqsUmIWzKtNVmK0Vm3kmIP1F6HKtjvoumMDzez7eVwb245nH1gu8XfioqwouGCqmZoxPF4frofSWI7U0cL7rwGVdTso=;7:LPxQS6r5yL1f3bJBn+C4/fKfwiqEvmo+ct/PHgR+vDcsPQTsoZqszCCXTHFQ6adExtLISFv+zFcca7r3Ehf6Vgh+gZyIJ4riSNqv1NyTJR5r4zkGLnqdGMGRNIbvloBpKTIFplseuUCKKMXqp719zYO0OLBFcCha+UXSQnBUGseWTlkJG3pvPEaCQL+g6QMjUrWdo6rAdExQqyqyh4lr5v+3PhIQsHG0GwlMEoWwCnk= X-Originatororg: hpe.com From: "Brent Bice" X-RT-Original-Encoding: utf-8 X-RT-Interface: Email Content-Length: 1111    Hey guys. I was checking out the CSUBNET option in EDNS0 options and thought "Aha! Just what I need to figure out what client IP hit one of my DNS filters". But I don't see any way to get named to log not just the client IP and the query, but also what CSUBNET shows up in the EDNS options. Is this possible?    Here's why I'm thinking this would be good. At my $DAYJOB I've setup filtering DNS proxies for the company to use but there's a bunch of departmental DNS servers too, whose logs I don't have access to (and they probably don't log queries anyway). So when I see a bunch of hits on the DNS filters (ie, a bunch of pseudo-random hostnames used in some BOT C&C stuff, and I try to determine which client system is making the queries, sometimes the IP I see in the logs is some other departmental DNS server instead of the originating IP. I was thinking perhaps I could get that info from the CSUBNET part of the EDNS0 options fields. But I'm guessing they don't get logged anywhere?    Anyway, if it's not already a feature, it might be a useful feature to have. Brent