Getting RPZ statistics
I recently (as of 2 days ago) enabled RPZ on all of my name servers. I currently use "rndc stats", perl, and SNMP to make certain global stats available to our network monitoring system to make charts (number of queries across all views and such). I'd like to do the same for just the RPZ zone so I can get an idea of how many queries are getting handled by RPZ itself. I added "zone-statistics yes;" to the RPZ zone, and the statistics file showed the header for that zone, but then there were no stats there. I enabled the zone-statistics for a "regular" zone and it provided stats as expected. Here's what my stats file looks like with zone-statistics enabled in the RPZ zone and one other zone for comparison. ++ Per Zone Query Statistics ++ [utc.edu (view: view1)] 3 queries resulted in successful answer 9 queries resulted in authoritative answer 2 queries resulted in nxrrset 4 queries resulted in NXDOMAIN [rpz (view: view2)] [rpz (view: view1)] My assumption is that since the RPZ zone is "special" it therefore can't keep track of stats. Is this the case or am I overlooking something obvious? I guess I could CNAME all the RPZ records to a single host in a separate domain and then do zone-statistics on that one zone, but that's kinda dirty. -Christopher ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Getting RPZ statistics
> From: "Howard, Christopher Bryan"
> I recently (as of 2 days ago) enabled RPZ on all of my name servers. I cur=
> rently use "rndc stats", perl, and SNMP to make certain global stats availa=
> ble to our network monitoring system to make charts (number of queries acro=
> ss all views and such). I'd like to do the same for just the RPZ zone so I=
> can get an idea of how many queries are getting handled by RPZ itself.
In a useless sense probably not intended, the number of queries
handled by RPZ is the same as the number of queries handled by
the normal zones in the views with "response-policy{}" statements,
because all queries are tested against the policy zones.
The short answer to the likely intended question is that there are
no RPZ specific statistics. One might want the number of responses
rewritten according to each policy zone, but those statistics don't
exist. I agree that the idea is worth thinking about.
Recent versions of the BIND9 RPZ code has improved logging. On DNS
servers that are not too busy, it might be possible to synthesize
useful RPZ statistics with awk/perl/whatever applied to the RPZ log
category.
Vernon Schryverv...@rhyolite.com
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Getting RPZ statistics
We point our DNS-RPZ records at a server ("here-be-dragons")
that records connections at that point. Also the webserver
listening there sends back either and image or javascript+html
which explains to the user the reason they are not seeing the
webpage they expect.
The web server gives us a convenient way to gather statistics
on which client machines are attempting to access which
"bad hosts".
One of the stats we generate each night is the ten machines
which accessed the here-be-dragons server the most, which we
send to the help desk so they can let the person know their
machine is probably infected with malware.
John
---
John Hascall, j...@iastate.edu
Team Lead, NIADS (Network Infrastructure, Authentication & Directory Services)
IT Services, The Iowa State University of Science and Technology
> --===6413295337217726361==
> Content-Language: en-US
> Content-Type: multipart/alternative;
> boundary="_000_0601178566817C499DF95E59CF72205D853A4DUTCMBX2utctenness_
"
>
> --_000_0601178566817C499DF95E59CF72205D853A4DUTCMBX2utctenness_
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> I recently (as of 2 days ago) enabled RPZ on all of my name servers. I cur=
> rently use "rndc stats", perl, and SNMP to make certain global stats availa=
> ble to our network monitoring system to make charts (number of queries acro=
> ss all views and such). I'd like to do the same for just the RPZ zone so I=
> can get an idea of how many queries are getting handled by RPZ itself.
>
> I added "zone-statistics yes;" to the RPZ zone, and the statistics file sho=
> wed the header for that zone, but then there were no stats there. I enable=
> d the zone-statistics for a "regular" zone and it provided stats as expecte=
> d. Here's what my stats file looks like with zone-statistics enabled in th=
> e RPZ zone and one other zone for comparison.
>
> ++ Per Zone Query Statistics ++
> [utc.edu (view: view1)]
> 3 queries resulted in successful answer
> 9 queries resulted in authoritative answer
> 2 queries resulted in nxrrset
> 4 queries resulted in NXDOMAIN
> [rpz (view: view2)]
> [rpz (view: view1)]
>
> My assumption is that since the RPZ zone is "special" it therefore can't ke=
> ep track of stats. Is this the case or am I overlooking something obvious?
>
> I guess I could CNAME all the RPZ records to a single host in a separate do=
> main and then do zone-statistics on that one zone, but that's kinda dirty.
>
> -Christopher
>
>
> --_000_0601178566817C499DF95E59CF72205D853A4DUTCMBX2utctenness_
> Content-Type: text/html; charset="us-ascii"
> Content-ID: <65511fa01bdc6743bba57a4c6b520...@mail.tennessee.edu>
> Content-Transfer-Encoding: quoted-printable
>
>
>
> >
>
> e-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-fami=
> ly: Calibri, sans-serif; ">
> I recently (as of 2 days ago) enabled RPZ on all of my name servers. &=
> nbsp;I currently use "rndc stats", perl, and SNMP to make certain=
> global stats available to our network monitoring system to make charts (nu=
> mber of queries across all views and such). I'd
> like to do the same for just the RPZ zone so I can get an idea of how many=
> queries are getting handled by RPZ itself.
>
>
>
> I added "zone-statistics yes;" to the RPZ zone, and the stat=
> istics file showed the header for that zone, but then there were no stats t=
> here. I enabled the zone-statistics for a "regular" zone an=
> d it provided stats as expected. Here's what my stats file
> looks like with zone-statistics enabled in the RPZ zone and one other zone=
> for comparison.
>
>
>
> ++ Per Zone Query Statistics ++
> [utc.edu (view: view1)]
> 3 queri=
> es resulted in successful answer
> 9 queri=
> es resulted in authoritative answer
> 2 queri=
> es resulted in nxrrset
> 4 queri=
> es resulted in NXDOMAIN
> [rpz (view: view2)]
> [rpz (view: view1)]
>
>
>
> My assumption is that since the RPZ zone is "special" it the=
> refore can't keep track of stats. Is this the case or am I overlookin=
> g something obvious?
>
>
> I guess I could CNAME all the RPZ records to a single host in a separa=
> te domain and then do zone-statistics on that one zone, but that's kinda di=
> rty.
>
>
> -Christopher
>
>
>
>
>
> --_000_0601178566817C499DF95E59CF72205D853A4DUTCMBX2utctenness_--
>
> --===6413295337217726361==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mail
Re: Getting RPZ statistics
We do much the same.
If you have a pointer to the technique you're using to distinguish images and
serve up replies, i'd be interested to see it.
John Hascall wrote:
>
>We point our DNS-RPZ records at a server ("here-be-dragons")
>that records connections at that point. Also the webserver
>listening there sends back either and image or javascript+html
>which explains to the user the reason they are not seeing the
>webpage they expect.
>
--
Sent from my mobile device, please excuse brevity and typos.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Getting RPZ statistics
> If you have a pointer to the technique you're using to
> distinguish images and serve up replies, i'd be interested to see it.
I'll be the first to admit it's not perfect, but even if we send
the wrong content, it's better than what they would have gotten! :)
First we just look at the suffix on the requested filename
(is it something obvious like .gif or .html or so on).
Then we look at if there was an accepts header sent, is
it something like: text/html, text/css, text/javascript, etc.
If you can't figure it out, one option is to just send
back a "403 Forbidden".
One bit I think a little bit clever is I figured out how to
make one file be legal html and legal javascript so if I'm
not sure which it might be it doesn't matter. Now, if I
could just encode a legal image in it too! :)
John
> Jo=
> hn Hascall wrote:
>
> >
> >We point our DNS-RPZ records at a =
> server ("here-be-dragons")
> >that records connections at that point. Also t=
> he webserver
> >listening there sends back either and image or javascript+htm=
> l
> >which explains to the user the reason they are not seeing the
> >webpage t=
> hey expect.
> >
>
> --
> Sent from my mobile device, please excuse brevity and ty=
> pos.
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
