Delivered-To: bind9-public@bugs.isc.org
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.pao1.isc.org", Issuer "COMODO RSA Organization Validation Secure Server CA" (not verified)) by bugs.isc.org (Postfix) with ESMTPS id 8D878D78B0B for <bind9-public@bugs.isc.org>; Mon, 23 Oct 2017 20:05:02 +0000 (UTC)
Received: from mail.banu.com (mail.banu.com [46.4.129.225]) by mx.pao1.isc.org (Postfix) with ESMTP id B07723ABC14 for <bind9-public@isc.org>; Mon, 23 Oct 2017 20:05:00 +0000 (UTC)
Received: from jurassic.lan.banu.com (unknown [115.118.30.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id 803BA56A07E1; Mon, 23 Oct 2017 20:04:57 +0000 (GMT)
To: "Brent Bice via RT" <bind9-public@isc.org>
User-Agent: Mutt/1.9.1 (2017-09-22)
content-type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-RT-Incoming-Encryption: Not encrypted
From: "Mukund Sivaraman" <muks@isc.org>
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=unavailable autolearn_force=no version=3.4.1
In-Reply-To: <rt-4.4.1-82815-1508783871-859.46379-3-0@isc.org>
References: <RT-Ticket-46379@isc.org> <61fad2b6-b1c7-7f55-06d3-b0feda8c27fd@hpe.com> <rt-4.4.1-82815-1508783871-859.46379-3-0@isc.org>
Return-Path: <muks@isc.org>
MIME-Version: 1.0
From muks@isc.org  Mon Oct 23 20:05:02 2017
X-RT-Original-Encoding: utf-8
Subject: Re: [ISC-Bugs #46379] EDNS CSUBNET logging
X-Original-To: bind9-public@bugs.isc.org
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mx.pao1.isc.org
Date: Tue, 24 Oct 2017 01:34:52 +0530
X-RT-Interface: Email
Message-ID: <20171023200452.GA28822@jurassic.lan.banu.com>
Content-Disposition: inline
RT-Message-ID: <rt-4.4.1-21225-1508789105-899.46379-0-0@isc.org>
Content-Length: 1571

Hi Brent

On Mon, Oct 23, 2017 at 06:37:51PM +0000, Brent Bice via RT wrote:
>     Hey guys. I was checking out the CSUBNET option in EDNS0 options and 
> thought "Aha! Just what I need to figure out what client IP hit one of 
> my DNS filters". But I don't see any way to get named to log not just 
> the client IP and the query, but also what CSUBNET shows up in the EDNS 
> options. Is this possible?
> 
> 
>     Here's why I'm thinking this would be good. At my $DAYJOB I've setup 
> filtering DNS proxies for the company to use but there's a bunch of 
> departmental DNS servers too, whose logs I don't have access to (and 
> they probably don't log queries anyway). So when I see a bunch of hits 
> on the DNS filters (ie, a bunch of pseudo-random hostnames used in some 
> BOT C&C stuff, and I try to determine which client system is making the 
> queries, sometimes the IP I see in the logs is some other departmental 
> DNS server instead of the originating IP. I was thinking perhaps I could 
> get that info from the CSUBNET part of the EDNS0 options fields. But I'm 
> guessing they don't get logged anywhere?
> 
>     Anyway, if it's not already a feature, it might be a useful feature 
> to have.

This was previously implemented in:

4566.   [func]          Query logging now includes the ECS option if one
                        was included in the query. [RT #44476]

You should be able to try this in the 9.12.0 beta (and future 9.12.0
stable release). It has not been backported to 9.11 and below as it
updates the query log message.

		Mukund