RE: DNS traffic accounting

2017-07-19 Thread Maile Halatuituia 
Not sure it would help but I have a current project where I  send bind raw data 
using packetbeat to elk stack allow me to see what individual user lookup at 
any given time and also how many …

Thank You Once Again.
ICT Team.

From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Bob 
Harold
Sent: Thursday, 20 July 2017 2:27 a.m.
To: Abi Askushi
Cc: bind-users@lists.isc.org
Subject: Re: DNS traffic accounting


On Wed, Jul 19, 2017 at 6:20 AM, Abi Askushi 
> wrote:

I enabled logging for the queries and am getting now queries from clients in 
the below form:

19-Jul-2017 10:11:29.310 client 192.168.200.102#27975: view auth: query: 
mobile.in.gr IN A + (192.168.200.1)
19-Jul-2017 10:11:29.794 client 192.168.200.102#32874: view auth: query: 
static.adman.gr IN A + (192.168.200.1)
19-Jul-2017 10:11:31.564 client 192.168.200.102#36746: view auth: query: 
android.clients.google.com IN A + 
(192.168.200.1)
19-Jul-2017 10:11:32.721 client 192.168.200.102#60248: view auth: query: 
mobilefeed.in.gr IN A + (192.168.200.1)
19-Jul-2017 10:11:39.440 client 192.168.200.102#53832: view auth: query: 
stats.g.doubleclick.net IN A + (192.168.200.1)
19-Jul-2017 10:11:44.523 client 192.168.200.102#22693: view auth: query: 
mqtt-mini.facebook.com IN A + (192.168.200.1)
19-Jul-2017 10:11:51.429 client 192.168.200.102#37734: view auth: query: 
www.googleapis.com IN A + (192.168.200.1)
19-Jul-2017 10:11:55.603 client 192.168.200.102#62531: view auth: query: 
clients3.google.com IN A + (192.168.200.1)
19-Jul-2017 10:11:57.352 client 192.168.200.102#11788: view auth: query: 
clients4.google.com IN A + (192.168.200.1)
19-Jul-2017 10:11:57.353 client 192.168.200.102#19409: view auth: query: 
clients4.google.com IN A + (192.168.200.1)
19-Jul-2017 10:12:06.365 client 192.168.200.102#51726: view auth: query: 
graph.instagram.com IN A + (192.168.200.1)
I could count the queries by parsing the logs though this seems to be somehow 
inefficient.
Is there any way that bind9 could be queries otherwise to provide such info?

Read up on the statistics channel in the BIND manual.

--
Bob Harold


Many thanx,
Abi

On Wed, Jul 19, 2017 at 12:04 AM, Abi Askushi 
> wrote:
This could do.
I just have to get those counters.

Thanx,
Abi

On Jul 18, 2017 18:37, "Matthew Seaman" 
> wrote:
On 07/18/17 16:09, Abi Askushi wrote:
> I am trying to figure out how could I account the DNS traffic generated
> from clients in terms of bytes. My setup is a simple caching DNS with
> several clients querying the DNS server.  I can measure the DNS traffic
> that is generated from the DNS server on the WAN side by using some
> monitoring tool (pmacct) but I am not sure how could I account this traffic
> to the clients that are generating this traffic. By simply monitoring the
> internal DNS traffic from clients I expect to not be accurate since it will
> include also cached responses which do not generate WAN traffic.
>
> Any suggestion how to approach this problem?
The implication of what you're suggesting is that if client A looks up
some address that isn't in the cache, then they will be charged for
that. However, if client B then comes along and looks up the exact same
address shortly afterwards, they'll get a response from cache and so not
be charged.  That seems a bit arbitrary.

Why not charge your clients based simply on the number of queries they
make against your resolver?  You know or can easily find out how many
queries your resolver is handling in total and how much the WAN traffic
that generates is costing you so it should be fairly easy to come up
with a charging scheme based on the average cost per DNS query.

Cheers,

Matthew



Confidentiality Notice: This email (including any attachment) is intended for 
internal use only. Any unauthorized use, dissemination or copying of the 
content is prohibited. If you are not the intended recipient and have received 
this e-mail in error, please notify the sender by email and delete this email 
and any attachment.
Confidentiality Notice: This email (including any attachment) is intended for 
internal use only. Any unauthorized use, dissemination or copying of the 
content is prohibited. If you are not the intended recipient and have received 
this e-mail in error, please notify the sender by email and delete this email 
and any attachment.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users

Re: Bind DNS servers: can they coexist with httpd and mail servers?

2017-07-19 Thread Tom Browder 
On Wed, Jul 19, 2017 at 9:34 AM, John Miller  wrote:
> In some cases, running BIND on a web server is exactly what you'd want
> to be doing anyway for its caching function.  If you're doing reverse
...
> Of course, you don't have to use BIND to get the benefits of a caching
> NS, but if you need to run BIND anyway

I meant to say I intend to run as an authoritative DNS server for my
personal domains.

I assume Reindl's answer is still valid.

BTW, anything special I need for the bind service file?

Thanks, John

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind DNS servers: can they coexist with httpd and mail servers?

2017-07-19 Thread John Miller 
In some cases, running BIND on a web server is exactly what you'd want
to be doing anyway for its caching function.  If you're doing reverse
lookups of IPs or something like that for your Apache logs (I'd
recommend against that, BTW), then you'll save yourself a whole lot of
DNS traffic by running a caching nameserver on the same machine as
Apache.

For a mail server, this is an even better idea: mail servers almost
always do reverse lookups on IP addresses to see if the PTR record
matches what the sender provides in their EHLO.  If you have 20k
e-mails coming from Gmail, for example, no sense in doing the DNS
lookup 20k times.

Of course, you don't have to use BIND to get the benefits of a caching
NS, but if you need to run BIND anyway

John

On Wed, Jul 19, 2017 at 6:37 AM, Tom Browder  wrote:
> I want to host my own DNS servers, but I need the master to share Bind with
> other services, specifically Apache 2.4, Postfix 3.3, and Mailman 3.
>
> Is there any reason that is not possible?
>
> If not, are there any problems or configuration issues I will need to
> address?
>
> Thanks.
>
> With warmest regards,
>
> -Tom
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
John Miller
Systems Engineer
Brandeis University
johnm...@brandeis.edu
(781) 736-4619
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS traffic accounting

2017-07-19 Thread Bob Harold 
On Wed, Jul 19, 2017 at 6:20 AM, Abi Askushi 
wrote:

>
> I enabled logging for the queries and am getting now queries from clients
> in the below form:
>
> 19-Jul-2017 10:11:29.310 client 192.168.200.102#27975: view auth: query:
> mobile.in.gr IN A + (192.168.200.1)
> 19-Jul-2017 10:11:29.794 client 192.168.200.102#32874: view auth: query:
> static.adman.gr IN A + (192.168.200.1)
> 19-Jul-2017 10:11:31.564 client 192.168.200.102#36746: view auth: query:
> android.clients.google.com IN A + (192.168.200.1)
> 19-Jul-2017 10:11:32.721 client 192.168.200.102#60248: view auth: query:
> mobilefeed.in.gr IN A + (192.168.200.1)
> 19-Jul-2017 10:11:39.440 client 192.168.200.102#53832: view auth: query:
> stats.g.doubleclick.net IN A + (192.168.200.1)
> 19-Jul-2017 10:11:44.523 client 192.168.200.102#22693: view auth: query:
> mqtt-mini.facebook.com IN A + (192.168.200.1)
> 19-Jul-2017 10:11:51.429 client 192.168.200.102#37734: view auth: query:
> www.googleapis.com IN A + (192.168.200.1)
> 19-Jul-2017 10:11:55.603 client 192.168.200.102#62531: view auth: query:
> clients3.google.com IN A + (192.168.200.1)
> 19-Jul-2017 10:11:57.352 client 192.168.200.102#11788: view auth: query:
> clients4.google.com IN A + (192.168.200.1)
> 19-Jul-2017 10:11:57.353 client 192.168.200.102#19409: view auth: query:
> clients4.google.com IN A + (192.168.200.1)
> 19-Jul-2017 10:12:06.365 client 192.168.200.102#51726: view auth: query:
> graph.instagram.com IN A + (192.168.200.1)
>
> I could count the queries by parsing the logs though this seems to be
> somehow inefficient.
> Is there any way that bind9 could be queries otherwise to provide such
> info?
>
>
Read up on the statistics channel in the BIND manual.

-- 
Bob Harold



> Many thanx,
> Abi
>
> On Wed, Jul 19, 2017 at 12:04 AM, Abi Askushi 
> wrote:
>
>> This could do.
>> I just have to get those counters.
>>
>> Thanx,
>> Abi
>>
>> On Jul 18, 2017 18:37, "Matthew Seaman" 
>> wrote:
>>
>> On 07/18/17 16:09, Abi Askushi wrote:
>> > I am trying to figure out how could I account the DNS traffic generated
>> > from clients in terms of bytes. My setup is a simple caching DNS with
>> > several clients querying the DNS server.  I can measure the DNS traffic
>> > that is generated from the DNS server on the WAN side by using some
>> > monitoring tool (pmacct) but I am not sure how could I account this
>> traffic
>> > to the clients that are generating this traffic. By simply monitoring
>> the
>> > internal DNS traffic from clients I expect to not be accurate since it
>> will
>> > include also cached responses which do not generate WAN traffic.
>> >
>> > Any suggestion how to approach this problem?
>>
>> The implication of what you're suggesting is that if client A looks up
>> some address that isn't in the cache, then they will be charged for
>> that. However, if client B then comes along and looks up the exact same
>> address shortly afterwards, they'll get a response from cache and so not
>> be charged.  That seems a bit arbitrary.
>>
>> Why not charge your clients based simply on the number of queries they
>> make against your resolver?  You know or can easily find out how many
>> queries your resolver is handling in total and how much the WAN traffic
>> that generates is costing you so it should be fairly easy to come up
>> with a charging scheme based on the average cost per DNS query.
>>
>> Cheers,
>>
>> Matthew
>>
>>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: header intact

2017-07-19 Thread Alan Clegg 
But body missing.

On 7/19/17 4:30 AM, Moosa Karimulla Shaik wrote:
> 
> 
> -- 
> 
> Thanks
> 
> Moosa Karimulla Shaik.
> Cont: +91-9642451252
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND and Windows DNS logging and archiving

2017-07-19 Thread Mick Lee 
Hi All,

I wonder if I could get some advice and guidance based on everyones
experience.

I have a mix of pre-compiled versions of BIND on Linux (can't change or
re-compiled I'm afraid) and Windows DNS, and I have a need to log DNS
queries from about 100 or so of these types of servers, to identify queries
to specific domains, and to be able to go back through and search for
queries to domains which we now know to be bad.

I am currently using query logging on Linux, and Syslog to move the data
around, and simple regex matching to look for domains, but I need to get
the data from Windows servers and the current tooling is not
performant/scalable.

I could just enable Windows DNS logging and try to get the files from the
servers somehow, but from what I remember there are issues around log file
rotation and the potential for data loss there.  One of my colleagues
suggested sending the DNS queries to the Windows event log, but I am not
sure I can even do that, and I am worried about the impact too - there are
approx. 10,000 DNS qps across all servers in total.

Should I be looking at some off the shelve software (although I don't have
a lot of budget), what would even do this, or is there some open source
tool that would do the job (I have some scripting ability) - I'm quite open
to any ideas?

Any advice or guidance anyone can offer would be greatly appreciated.

(I know each environment is different, so apologies if I have left any
important detail out, please point this out if so and I will try to fill in
the gaps)

Many Thanks

Mick
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind DNS servers: can they coexist with httpd and mail servers?

2017-07-19 Thread Ray Bellis 
On 19/07/2017 11:53, Tony Finch wrote:

> It's how we did things in the 1990s :-)

Yup - in '96 I was running the entire set of customer-facing services
for a newly-formed ISP on a single Alpha workstation :)

Ray


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind DNS servers: can they coexist with httpd and mail servers?

2017-07-19 Thread Reindl Harald 



Am 19.07.2017 um 12:53 schrieb Tony Finch:

Tom Browder  wrote:


I want to host my own DNS servers, but I need the master to share Bind with
other services, specifically Apache 2.4, Postfix 3.3, and Mailman 3.


It's how we did things in the 1990s :-)


and thanks systemd we can do that these days too with a better security :-)

[root@rh:~]$ cat /usr/lib/systemd/system/httpd.service
[Unit]
Description=Apache Webserver
After=network.service systemd-networkd.service network-online.target 
mysqld.service


[Service]
Type=simple
EnvironmentFile=-/etc/sysconfig/httpd
Environment="PATH=/usr/bin:/usr/sbin"
ExecStart=/usr/sbin/httpd $OPTIONS -D FOREGROUND
ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
Restart=always
RestartSec=1
UMask=006
TasksMax=1024

PrivateTmp=yes
PrivateDevices=yes
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_NET_BIND_SERVICE 
CAP_SETGID CAP_SETUID

RestrictAddressFamilies=AF_INET AF_INET6 AF_LOCAL AF_UNIX
RestrictRealtime=yes
SystemCallArchitectures=x86-64
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount 
@obsolete @raw-io @reboot @resources @swap acct modify_ldt add_key 
adjtimex clock_adjtime delete_module fanotify_init finit_module 
get_mempolicy init_module io_destroy io_getevents iopl ioperm io_setup 
io_submit io_cancel kcmp kexec_load keyctl lookup_dcookie mbind 
migrate_pages mount move_pages open_by_handle_at perf_event_open 
pivot_root process_vm_readv process_vm_writev ptrace remap_file_pages 
request_key set_mempolicy swapoff swapon umount2 uselib vmsplice


ReadOnlyDirectories=/
ReadWriteDirectories=-/run
ReadWriteDirectories=-/tmp
ReadWriteDirectories=-/Volumes/dune/modsec-upload
ReadWriteDirectories=-/Volumes/dune/tmp
ReadWriteDirectories=-/Volumes/dune/www-servers
ReadWriteDirectories=-/data/www
ReadWriteDirectories=-/mnt/data/www
ReadWriteDirectories=-/data/xdebug
ReadWriteDirectories=-/mnt/data/xdebug
ReadWriteDirectories=-/var/cache/mailgraph
ReadWriteDirectories=-/var/lib/smokeping
ReadWriteDirectories=-/var/log
ReadWriteDirectories=-/var/www/sessiondata
ReadWriteDirectories=-/var/www/sessiondata-phpmyadmin
ReadWriteDirectories=-/var/www/uploadtemp
ReadWriteDirectories=-/var/www/uploadtemp-phpmyadmin
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind DNS servers: can they coexist with httpd and mail servers?

2017-07-19 Thread Tony Finch 
Tom Browder  wrote:

> I want to host my own DNS servers, but I need the master to share Bind with
> other services, specifically Apache 2.4, Postfix 3.3, and Mailman 3.

It's how we did things in the 1990s :-)

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
South Biscay: Southwesterly 5 or 6, veering northwesterly 4 or 5. Moderate.
Showers. Good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind DNS servers: can they coexist with httpd and mail servers?

2017-07-19 Thread Tom Browder 
On Wed, Jul 19, 2017 at 05:42 Reindl Harald  wrote:

> Am 19.07.2017 um 12:37 schrieb Tom Browder:
> > I want to host my own DNS servers, but I need the master to share Bind
> > with other services, specifically Apache 2.4, Postfix 3.3, and Mailman 3.



> besides the typical security considerations (what if your webserver get
> compromised since it's the greatest attack vector) - no - named don't
> even know that there are other services nor is it relevant from the
> outside - DNS is just port 53 UDP/TCP and that's it


Thank you, Reindl.

Best regards,

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind DNS servers: can they coexist with httpd and mail servers?

2017-07-19 Thread Reindl Harald 



Am 19.07.2017 um 12:37 schrieb Tom Browder:
I want to host my own DNS servers, but I need the master to share Bind 
with other services, specifically Apache 2.4, Postfix 3.3, and Mailman 3.


Is there any reason that is not possible?

If not, are there any problems or configuration issues I will need to 
address?


besides the typical security considerations (what if your webserver get 
compromised since it's the greatest attack vector) - no - named don't 
even know that there are other services nor is it relevant from the 
outside - DNS is just port 53 UDP/TCP and that's it


written from a development machine running named with several 
mysqld-instances, webservers, virtual machines and a ton of other 
networkservices from routing to firewalls up to two hostapd-instances to 
provide WLAN for smartphones

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind DNS servers: can they coexist with httpd and mail servers?

2017-07-19 Thread Tom Browder 
I want to host my own DNS servers, but I need the master to share Bind with
other services, specifically Apache 2.4, Postfix 3.3, and Mailman 3.

Is there any reason that is not possible?

If not, are there any problems or configuration issues I will need to
address?

Thanks.

With warmest regards,

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS traffic accounting

2017-07-19 Thread Abi Askushi 
I enabled logging for the queries and am getting now queries from clients
in the below form:

19-Jul-2017 10:11:29.310 client 192.168.200.102#27975: view auth: query:
mobile.in.gr IN A + (192.168.200.1)
19-Jul-2017 10:11:29.794 client 192.168.200.102#32874: view auth: query:
static.adman.gr IN A + (192.168.200.1)
19-Jul-2017 10:11:31.564 client 192.168.200.102#36746: view auth: query:
android.clients.google.com IN A + (192.168.200.1)
19-Jul-2017 10:11:32.721 client 192.168.200.102#60248: view auth: query:
mobilefeed.in.gr IN A + (192.168.200.1)
19-Jul-2017 10:11:39.440 client 192.168.200.102#53832: view auth: query:
stats.g.doubleclick.net IN A + (192.168.200.1)
19-Jul-2017 10:11:44.523 client 192.168.200.102#22693: view auth: query:
mqtt-mini.facebook.com IN A + (192.168.200.1)
19-Jul-2017 10:11:51.429 client 192.168.200.102#37734: view auth: query:
www.googleapis.com IN A + (192.168.200.1)
19-Jul-2017 10:11:55.603 client 192.168.200.102#62531: view auth: query:
clients3.google.com IN A + (192.168.200.1)
19-Jul-2017 10:11:57.352 client 192.168.200.102#11788: view auth: query:
clients4.google.com IN A + (192.168.200.1)
19-Jul-2017 10:11:57.353 client 192.168.200.102#19409: view auth: query:
clients4.google.com IN A + (192.168.200.1)
19-Jul-2017 10:12:06.365 client 192.168.200.102#51726: view auth: query:
graph.instagram.com IN A + (192.168.200.1)

I could count the queries by parsing the logs though this seems to be
somehow inefficient.
Is there any way that bind9 could be queries otherwise to provide such info?

Many thanx,
Abi

On Wed, Jul 19, 2017 at 12:04 AM, Abi Askushi 
wrote:

> This could do.
> I just have to get those counters.
>
> Thanx,
> Abi
>
> On Jul 18, 2017 18:37, "Matthew Seaman" 
> wrote:
>
> On 07/18/17 16:09, Abi Askushi wrote:
> > I am trying to figure out how could I account the DNS traffic generated
> > from clients in terms of bytes. My setup is a simple caching DNS with
> > several clients querying the DNS server.  I can measure the DNS traffic
> > that is generated from the DNS server on the WAN side by using some
> > monitoring tool (pmacct) but I am not sure how could I account this
> traffic
> > to the clients that are generating this traffic. By simply monitoring the
> > internal DNS traffic from clients I expect to not be accurate since it
> will
> > include also cached responses which do not generate WAN traffic.
> >
> > Any suggestion how to approach this problem?
>
> The implication of what you're suggesting is that if client A looks up
> some address that isn't in the cache, then they will be charged for
> that. However, if client B then comes along and looks up the exact same
> address shortly afterwards, they'll get a response from cache and so not
> be charged.  That seems a bit arbitrary.
>
> Why not charge your clients based simply on the number of queries they
> make against your resolver?  You know or can easily find out how many
> queries your resolver is handling in total and how much the WAN traffic
> that generates is costing you so it should be fairly easy to come up
> with a charging scheme based on the average cost per DNS query.
>
> Cheers,
>
> Matthew
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

header intact

2017-07-19 Thread Moosa Karimulla Shaik 
-- 

Thanks

Moosa Karimulla Shaik.
Cont: +91-9642451252
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users