Report information
The Basics
Id:
46379
Status:
rejected
Priority:
Low/Low
Queue:
bind9-public
People
Owner:
Nobody in particular
Requestors:
Brent Bice <brent.bice@hpe.com>
Cc:
AdminCc:
BugTracker
Version Fixed:
(no value)
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
(no value)
Severity:
(no value)
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
(no value)
Area:
(no value)
Dates
Created:Mon, 23 Oct 2017 14:37:51 -0400
Updated:Mon, 23 Oct 2017 18:44:08 -0400
Closed:Mon, 23 Oct 2017 18:44:08 -0400

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Mon, 23 Oct 2017 14:37:51 -0400 Brent Bice <brent.bice@hpe.com> - Ticket created
To: bind-suggest@isc.org
Date: Mon, 23 Oct 2017 12:37:33 -0600
Subject: EDNS CSUBNET logging
From: "Brent Bice" <brent.bice@hpe.com>

   Hey guys. I was checking out the CSUBNET option in EDNS0 options and thought "Aha! Just what I need to figure out what client IP hit one of my DNS filters". But I don't see any way to get named to log not just the client IP and the query, but also what CSUBNET shows up in the EDNS options. Is this possible?    Here's why I'm thinking this would be good. At my $DAYJOB I've setup filtering DNS proxies for the company to use but there's a bunch of departmental DNS servers too, whose logs I don't have access to (and they probably don't log queries anyway). So when I see a bunch of hits on the DNS filters (ie, a bunch of pseudo-random hostnames used in some BOT C&C stuff, and I try to determine which client system is making the queries, sometimes the IP I see in the logs is some other departmental DNS server instead of the originating IP. I was thinking perhaps I could get that info from the CSUBNET part of the EDNS0 options fields. But I'm guessing they don't get logged anywhere?    Anyway, if it's not already a feature, it might be a useful feature to have. Brent
  Mon, 23 Oct 2017 16:05:05 -0400 Mukund Sivaraman <muks@isc.org> - Correspondence added
To: "Brent Bice via RT" <bind9-public@isc.org>
From: "Mukund Sivaraman" <muks@isc.org>
Subject: Re: [ISC-Bugs #46379] EDNS CSUBNET logging
Date: Tue, 24 Oct 2017 01:34:52 +0530

Hi Brent On Mon, Oct 23, 2017 at 06:37:51PM +0000, Brent Bice via RT wrote: >    Hey guys. I was checking out the CSUBNET option in EDNS0 options and > thought "Aha! Just what I need to figure out what client IP hit one of > my DNS filters". But I don't see any way to get named to log not just > the client IP and the query, but also what CSUBNET shows up in the EDNS > options. Is this possible? > > >    Here's why I'm thinking this would be good. At my $DAYJOB I've setup > filtering DNS proxies for the company to use but there's a bunch of > departmental DNS servers too, whose logs I don't have access to (and > they probably don't log queries anyway). So when I see a bunch of hits > on the DNS filters (ie, a bunch of pseudo-random hostnames used in some > BOT C&C stuff, and I try to determine which client system is making the > queries, sometimes the IP I see in the logs is some other departmental > DNS server instead of the originating IP. I was thinking perhaps I could > get that info from the CSUBNET part of the EDNS0 options fields. But I'm > guessing they don't get logged anywhere? > >    Anyway, if it's not already a feature, it might be a useful feature > to have. This was previously implemented in: 4566. [func] Query logging now includes the ECS option if one was included in the query. [RT #44476] You should be able to try this in the 9.12.0 beta (and future 9.12.0 stable release). It has not been backported to 9.11 and below as it updates the query log message. Mukund
Mon, 23 Oct 2017 16:05:05 -0400 The RT System itself - Status changed from 'new' to 'open'
  Mon, 23 Oct 2017 17:23:32 -0400 Brent Bice <brent.bice@hpe.com> - Correspondence added
Date: Mon, 23 Oct 2017 15:22:36 -0600
To: bind9-public@isc.org
Subject: Re: [ISC-Bugs #46379] EDNS CSUBNET logging
From: "Brent Bice" <brent.bice@hpe.com>

On 10/23/2017 02:05 PM, Mukund Sivaraman via RT wrote: > > This was previously implemented in: > > 4566. [func] Query logging now includes the ECS option if one > was included in the query. [RT #44476] > > You should be able to try this in the 9.12.0 beta (and future 9.12.0 > stable release). It has not been backported to 9.11 and below as it > updates the query log message. >    Thanks!  I'll have to download 9.12.x and do some testing with it (if for no other reason than to update my syslog daemon's named parsing (grin). Brent
  Mon, 23 Oct 2017 17:49:49 -0400 Vicky Risk <vicky@isc.org> - Correspondence added

Hi Brent, I am going to reject this as 'not a bug', but if you test it and find it doesn't work as expected or desired in 9.12, please just reply again and it will re-open the issue. Vicky
Mon, 23 Oct 2017 17:49:49 -0400 Vicky Risk <vicky@isc.org> - Status changed from 'open' to 'rejected'
  Mon, 23 Oct 2017 18:05:08 -0400 Mukund Sivaraman <muks@isc.org> - Correspondence added
To: "Brent Bice via RT" <bind9-public@isc.org>
Subject: Re: [ISC-Bugs #46379] EDNS CSUBNET logging
From: "Mukund Sivaraman" <muks@isc.org>
Date: Tue, 24 Oct 2017 03:34:54 +0530

Hi Brent On Mon, Oct 23, 2017 at 09:23:32PM +0000, Brent Bice via RT wrote: >    Thanks!  I'll have to download 9.12.x and do some testing with it > (if for no other reason than to update my syslog daemon's named parsing > (grin). You can extract the code changes from here: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=aace5d0fb3dfa6cd249a3d2f64147ed15a36d70b Mukund
Mon, 23 Oct 2017 18:05:08 -0400 The RT System itself - Status changed from 'rejected' to 'open'
Mon, 23 Oct 2017 18:44:08 -0400 Mark Andrews <marka@isc.org> - Status changed from 'open' to 'rejected'