Hello to all,
how can I log source port and Query-ID?
It would be perfect have it to detect some kind of attacks.
Regards
digitel
Via della Fortezza 6 - 50129 Firenze
www.digitelitalia.com - 800 901 669
Ing. Lorenzo Mainardi
Tel +39 055 4624933
Fax +39 055 4624 947
Hi Lorenzo,
Use log-queries: yes and with the patch below it then looks like this
in the log: info: e96a ::1@57367 www.nlnetlabs.nl. A IN
Index: daemon/worker.c
Dnstap frame stream also contains source port and whole DNS
message including query id.
$ dnstap-ldns -y -r /tmp/dnstap.out
type: MESSAGE
identity: "dns01"
version: "unbound 1.5.9"
message:
type: CLIENT_QUERY
query_time: !!timestamp 2016-09-17 07:45:35.903922
socket_family: INET6
socket_protocol: UDP
query_address: ::1
query_port: 49332
query_message: |
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 59383
;; flags: rd ad ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.google.com. IN A
;; EDNS: version 0; flags: ; udp: 4096
Unbound's dnstap feature works well (you will need to
install some not-so-common libraries to build!) but it is not well
documented, for example not described in unbound.conf(5).
Still experimental feature?