DNS traffic accounting

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

DNS traffic accounting

Abi Askushi
Hi all,

I am trying to figure out how could I account the DNS traffic generated from clients in terms of bytes. My setup is a simple caching DNS with several clients querying the DNS server.  I can measure the DNS traffic that is generated from the DNS server on the WAN side by using some monitoring tool (pmacct) but I am not sure how could I account this traffic to the clients that are generating this traffic. By simply monitoring the internal DNS traffic from clients I expect to not be accurate since it will include also cached responses which do not generate WAN traffic.

Any suggestion how to approach this problem?

Many thanx,
Abi

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DNS traffic accounting

Matus UHLAR - fantomas
On 18.07.17 18:09, Abi Askushi wrote:
>I am trying to figure out how could I account the DNS traffic generated
>from clients in terms of bytes. My setup is a simple caching DNS with
>several clients querying the DNS server.  I can measure the DNS traffic
>that is generated from the DNS server on the WAN side by using some
>monitoring tool (pmacct) but I am not sure how could I account this traffic
>to the clients that are generating this traffic. By simply monitoring the
>internal DNS traffic from clients I expect to not be accurate since it will
>include also cached responses which do not generate WAN traffic.

well, caching makes your benefit, doesn't it?

>Any suggestion how to approach this problem?

...don't?

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DNS traffic accounting

Matthew Seaman
In reply to this post by Abi Askushi
On 07/18/17 16:09, Abi Askushi wrote:

> I am trying to figure out how could I account the DNS traffic generated
> from clients in terms of bytes. My setup is a simple caching DNS with
> several clients querying the DNS server.  I can measure the DNS traffic
> that is generated from the DNS server on the WAN side by using some
> monitoring tool (pmacct) but I am not sure how could I account this traffic
> to the clients that are generating this traffic. By simply monitoring the
> internal DNS traffic from clients I expect to not be accurate since it will
> include also cached responses which do not generate WAN traffic.
>
> Any suggestion how to approach this problem?
The implication of what you're suggesting is that if client A looks up
some address that isn't in the cache, then they will be charged for
that. However, if client B then comes along and looks up the exact same
address shortly afterwards, they'll get a response from cache and so not
be charged.  That seems a bit arbitrary.

Why not charge your clients based simply on the number of queries they
make against your resolver?  You know or can easily find out how many
queries your resolver is handling in total and how much the WAN traffic
that generates is costing you so it should be fairly easy to come up
with a charging scheme based on the average cost per DNS query.

        Cheers,

        Matthew


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DNS traffic accounting

Bind-Users forum mailing list
In reply to this post by Abi Askushi
On 07/18/2017 09:09 AM, Abi Askushi wrote:
> I am trying to figure out how could I account the DNS traffic generated
> from clients in terms of bytes. My setup is a simple caching DNS with
> several clients querying the DNS server.  I can measure the DNS traffic
> that is generated from the DNS server on the WAN side by using some
> monitoring tool (pmacct) but I am not sure how could I account this
> traffic to the clients that are generating this traffic. By simply
> monitoring the internal DNS traffic from clients I expect to not be
> accurate since it will include also cached responses which do not
> generate WAN traffic.

I'm going to assume that you are doing this for some academic purpose
and not going to try to bill based on numbers of queries.  (Others have
commented more about the impracticality of this.)

> Any suggestion how to approach this problem?

I would be tempted to see if named's query log would cover what you
want.  I've not used it before and have no idea if it's granular enough
for what you want.

Baring that, I'd be inclined to try IPTables rules to record the bytes
that each client has sent to / from the DNS server.

If you absolutely need to correlate client queries to outbound server
queries, I think you're probably going to need to capture the traffic
and then do some sort of post capture processing to correlate it.  -  I
know that you can get tcpdump to do this.  You might be able to get
IPTables to copy the traffic and send it to user-space for capture ~>
post processing.

Finally, this seems like a strange enough (in my opinion) that I'll ask
what the motivation is for this request.  I'm wondering if there is a
different way to accomplish the goal without needing to capture this detail.



--
Grant. . . .
unix || die


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DNS traffic accounting

Abi Askushi
In reply to this post by Matthew Seaman
This could do.
I just have to get those counters.

Thanx,
Abi

On Jul 18, 2017 18:37, "Matthew Seaman" <[hidden email]> wrote:
On 07/18/17 16:09, Abi Askushi wrote:
> I am trying to figure out how could I account the DNS traffic generated
> from clients in terms of bytes. My setup is a simple caching DNS with
> several clients querying the DNS server.  I can measure the DNS traffic
> that is generated from the DNS server on the WAN side by using some
> monitoring tool (pmacct) but I am not sure how could I account this traffic
> to the clients that are generating this traffic. By simply monitoring the
> internal DNS traffic from clients I expect to not be accurate since it will
> include also cached responses which do not generate WAN traffic.
>
> Any suggestion how to approach this problem?

The implication of what you're suggesting is that if client A looks up
some address that isn't in the cache, then they will be charged for
that. However, if client B then comes along and looks up the exact same
address shortly afterwards, they'll get a response from cache and so not
be charged.  That seems a bit arbitrary.

Why not charge your clients based simply on the number of queries they
make against your resolver?  You know or can easily find out how many
queries your resolver is handling in total and how much the WAN traffic
that generates is costing you so it should be fairly easy to come up
with a charging scheme based on the average cost per DNS query.

        Cheers,

        Matthew


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DNS traffic accounting

Abi Askushi

I enabled logging for the queries and am getting now queries from clients in the below form:

19-Jul-2017 10:11:29.310 client 192.168.200.102#27975: view auth: query: mobile.in.gr IN A + (192.168.200.1)
19-Jul-2017 10:11:29.794 client 192.168.200.102#32874: view auth: query: static.adman.gr IN A + (192.168.200.1)
19-Jul-2017 10:11:31.564 client 192.168.200.102#36746: view auth: query: android.clients.google.com IN A + (192.168.200.1)
19-Jul-2017 10:11:32.721 client 192.168.200.102#60248: view auth: query: mobilefeed.in.gr IN A + (192.168.200.1)
19-Jul-2017 10:11:39.440 client 192.168.200.102#53832: view auth: query: stats.g.doubleclick.net IN A + (192.168.200.1)
19-Jul-2017 10:11:44.523 client 192.168.200.102#22693: view auth: query: mqtt-mini.facebook.com IN A + (192.168.200.1)
19-Jul-2017 10:11:51.429 client 192.168.200.102#37734: view auth: query: www.googleapis.com IN A + (192.168.200.1)
19-Jul-2017 10:11:55.603 client 192.168.200.102#62531: view auth: query: clients3.google.com IN A + (192.168.200.1)
19-Jul-2017 10:11:57.352 client 192.168.200.102#11788: view auth: query: clients4.google.com IN A + (192.168.200.1)
19-Jul-2017 10:11:57.353 client 192.168.200.102#19409: view auth: query: clients4.google.com IN A + (192.168.200.1)
19-Jul-2017 10:12:06.365 client 192.168.200.102#51726: view auth: query: graph.instagram.com IN A + (192.168.200.1)

I could count the queries by parsing the logs though this seems to be somehow inefficient.
Is there any way that bind9 could be queries otherwise to provide such info?

Many thanx,
Abi

On Wed, Jul 19, 2017 at 12:04 AM, Abi Askushi <[hidden email]> wrote:
This could do.
I just have to get those counters.

Thanx,
Abi

On Jul 18, 2017 18:37, "Matthew Seaman" <[hidden email]> wrote:
On 07/18/17 16:09, Abi Askushi wrote:
> I am trying to figure out how could I account the DNS traffic generated
> from clients in terms of bytes. My setup is a simple caching DNS with
> several clients querying the DNS server.  I can measure the DNS traffic
> that is generated from the DNS server on the WAN side by using some
> monitoring tool (pmacct) but I am not sure how could I account this traffic
> to the clients that are generating this traffic. By simply monitoring the
> internal DNS traffic from clients I expect to not be accurate since it will
> include also cached responses which do not generate WAN traffic.
>
> Any suggestion how to approach this problem?

The implication of what you're suggesting is that if client A looks up
some address that isn't in the cache, then they will be charged for
that. However, if client B then comes along and looks up the exact same
address shortly afterwards, they'll get a response from cache and so not
be charged.  That seems a bit arbitrary.

Why not charge your clients based simply on the number of queries they
make against your resolver?  You know or can easily find out how many
queries your resolver is handling in total and how much the WAN traffic
that generates is costing you so it should be fairly easy to come up
with a charging scheme based on the average cost per DNS query.

        Cheers,

        Matthew


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DNS traffic accounting

Bob Harold

On Wed, Jul 19, 2017 at 6:20 AM, Abi Askushi <[hidden email]> wrote:

I enabled logging for the queries and am getting now queries from clients in the below form:

19-Jul-2017 10:11:29.310 client 192.168.200.102#27975: view auth: query: mobile.in.gr IN A + (192.168.200.1)
19-Jul-2017 10:11:29.794 client 192.168.200.102#32874: view auth: query: static.adman.gr IN A + (192.168.200.1)
19-Jul-2017 10:11:31.564 client 192.168.200.102#36746: view auth: query: android.clients.google.com IN A + (192.168.200.1)
19-Jul-2017 10:11:32.721 client 192.168.200.102#60248: view auth: query: mobilefeed.in.gr IN A + (192.168.200.1)
19-Jul-2017 10:11:39.440 client 192.168.200.102#53832: view auth: query: stats.g.doubleclick.net IN A + (192.168.200.1)
19-Jul-2017 10:11:44.523 client 192.168.200.102#22693: view auth: query: mqtt-mini.facebook.com IN A + (192.168.200.1)
19-Jul-2017 10:11:51.429 client 192.168.200.102#37734: view auth: query: www.googleapis.com IN A + (192.168.200.1)
19-Jul-2017 10:11:55.603 client 192.168.200.102#62531: view auth: query: clients3.google.com IN A + (192.168.200.1)
19-Jul-2017 10:11:57.352 client 192.168.200.102#11788: view auth: query: clients4.google.com IN A + (192.168.200.1)
19-Jul-2017 10:11:57.353 client 192.168.200.102#19409: view auth: query: clients4.google.com IN A + (192.168.200.1)
19-Jul-2017 10:12:06.365 client 192.168.200.102#51726: view auth: query: graph.instagram.com IN A + (192.168.200.1)

I could count the queries by parsing the logs though this seems to be somehow inefficient.
Is there any way that bind9 could be queries otherwise to provide such info?


Read up on the statistics channel in the BIND manual.

-- 
Bob Harold

 
Many thanx,
Abi

On Wed, Jul 19, 2017 at 12:04 AM, Abi Askushi <[hidden email]> wrote:
This could do.
I just have to get those counters.

Thanx,
Abi

On Jul 18, 2017 18:37, "Matthew Seaman" <[hidden email]> wrote:
On 07/18/17 16:09, Abi Askushi wrote:
> I am trying to figure out how could I account the DNS traffic generated
> from clients in terms of bytes. My setup is a simple caching DNS with
> several clients querying the DNS server.  I can measure the DNS traffic
> that is generated from the DNS server on the WAN side by using some
> monitoring tool (pmacct) but I am not sure how could I account this traffic
> to the clients that are generating this traffic. By simply monitoring the
> internal DNS traffic from clients I expect to not be accurate since it will
> include also cached responses which do not generate WAN traffic.
>
> Any suggestion how to approach this problem?

The implication of what you're suggesting is that if client A looks up
some address that isn't in the cache, then they will be charged for
that. However, if client B then comes along and looks up the exact same
address shortly afterwards, they'll get a response from cache and so not
be charged.  That seems a bit arbitrary.

Why not charge your clients based simply on the number of queries they
make against your resolver?  You know or can easily find out how many
queries your resolver is handling in total and how much the WAN traffic
that generates is costing you so it should be fairly easy to come up
with a charging scheme based on the average cost per DNS query.

        Cheers,

        Matthew

 


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: DNS traffic accounting

Maile Halatuituia

Not sure it would help but I have a current project where I  send bind raw data using packetbeat to elk stack allow me to see what individual user lookup at any given time and also how many …

 

Thank You Once Again.

ICT Team.

 

From: bind-users [mailto:[hidden email]] On Behalf Of Bob Harold
Sent: Thursday, 20 July 2017 2:27 a.m.
To: Abi Askushi
Cc: [hidden email]
Subject: Re: DNS traffic accounting

 

 

On Wed, Jul 19, 2017 at 6:20 AM, Abi Askushi <[hidden email]> wrote:

 

I enabled logging for the queries and am getting now queries from clients in the below form:

19-Jul-2017 10:11:29.310 client 192.168.200.102#27975: view auth: query: mobile.in.gr IN A + (192.168.200.1)
19-Jul-2017 10:11:29.794 client 192.168.200.102#32874: view auth: query: static.adman.gr IN A + (192.168.200.1)
19-Jul-2017 10:11:31.564 client 192.168.200.102#36746: view auth: query: android.clients.google.com IN A + (192.168.200.1)
19-Jul-2017 10:11:32.721 client 192.168.200.102#60248: view auth: query: mobilefeed.in.gr IN A + (192.168.200.1)
19-Jul-2017 10:11:39.440 client 192.168.200.102#53832: view auth: query: stats.g.doubleclick.net IN A + (192.168.200.1)
19-Jul-2017 10:11:44.523 client 192.168.200.102#22693: view auth: query: mqtt-mini.facebook.com IN A + (192.168.200.1)
19-Jul-2017 10:11:51.429 client 192.168.200.102#37734: view auth: query: www.googleapis.com IN A + (192.168.200.1)
19-Jul-2017 10:11:55.603 client 192.168.200.102#62531: view auth: query: clients3.google.com IN A + (192.168.200.1)
19-Jul-2017 10:11:57.352 client 192.168.200.102#11788: view auth: query: clients4.google.com IN A + (192.168.200.1)
19-Jul-2017 10:11:57.353 client 192.168.200.102#19409: view auth: query: clients4.google.com IN A + (192.168.200.1)
19-Jul-2017 10:12:06.365 client 192.168.200.102#51726: view auth: query: graph.instagram.com IN A + (192.168.200.1)

I could count the queries by parsing the logs though this seems to be somehow inefficient.

Is there any way that bind9 could be queries otherwise to provide such info?

 

Read up on the statistics channel in the BIND manual.

 

-- 

Bob Harold

 

 

Many thanx,

Abi

 

On Wed, Jul 19, 2017 at 12:04 AM, Abi Askushi <[hidden email]> wrote:

This could do.

I just have to get those counters.

 

Thanx,

Abi

 

On Jul 18, 2017 18:37, "Matthew Seaman" <[hidden email]> wrote:

On 07/18/17 16:09, Abi Askushi wrote:
> I am trying to figure out how could I account the DNS traffic generated
> from clients in terms of bytes. My setup is a simple caching DNS with
> several clients querying the DNS server.  I can measure the DNS traffic
> that is generated from the DNS server on the WAN side by using some
> monitoring tool (pmacct) but I am not sure how could I account this traffic
> to the clients that are generating this traffic. By simply monitoring the
> internal DNS traffic from clients I expect to not be accurate since it will
> include also cached responses which do not generate WAN traffic.
>
> Any suggestion how to approach this problem?

The implication of what you're suggesting is that if client A looks up
some address that isn't in the cache, then they will be charged for
that. However, if client B then comes along and looks up the exact same
address shortly afterwards, they'll get a response from cache and so not
be charged.  That seems a bit arbitrary.

Why not charge your clients based simply on the number of queries they
make against your resolver?  You know or can easily find out how many
queries your resolver is handling in total and how much the WAN traffic
that generates is costing you so it should be fairly easy to come up
with a charging scheme based on the average cost per DNS query.

        Cheers,

        Matthew

 

 

 

Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.

Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: DNS traffic accounting

Abi Askushi
Interesting project the packetbeat.

I was wondering if bind9 can support TPROXY. This would facilate my accounting as then all WAN traffic would have the client IP as the source IP. ( I have a similar configuration with squid where I was able to account the WAN traffic using this trick without having to deal with squid stats and cache)


On Jul 19, 2017 20:36, "Maile Halatuituia" <[hidden email]> wrote:

Not sure it would help but I have a current project where I  send bind raw data using packetbeat to elk stack allow me to see what individual user lookup at any given time and also how many …

 

Thank You Once Again.

ICT Team.

 

From: bind-users [mailto:[hidden email]] On Behalf Of Bob Harold
Sent: Thursday, 20 July 2017 2:27 a.m.
To: Abi Askushi
Cc: [hidden email]
Subject: Re: DNS traffic accounting

 

 

On Wed, Jul 19, 2017 at 6:20 AM, Abi Askushi <[hidden email]> wrote:

 

I enabled logging for the queries and am getting now queries from clients in the below form:

19-Jul-2017 10:11:29.310 client 192.168.200.102#27975: view auth: query: mobile.in.gr IN A + (192.168.200.1)
19-Jul-2017 10:11:29.794 client 192.168.200.102#32874: view auth: query: static.adman.gr IN A + (192.168.200.1)
19-Jul-2017 10:11:31.564 client 192.168.200.102#36746: view auth: query: android.clients.google.com IN A + (192.168.200.1)
19-Jul-2017 10:11:32.721 client 192.168.200.102#60248: view auth: query: mobilefeed.in.gr IN A + (192.168.200.1)
19-Jul-2017 10:11:39.440 client 192.168.200.102#53832: view auth: query: stats.g.doubleclick.net IN A + (192.168.200.1)
19-Jul-2017 10:11:44.523 client 192.168.200.102#22693: view auth: query: mqtt-mini.facebook.com IN A + (192.168.200.1)
19-Jul-2017 10:11:51.429 client 192.168.200.102#37734: view auth: query: www.googleapis.com IN A + (192.168.200.1)
19-Jul-2017 10:11:55.603 client 192.168.200.102#62531: view auth: query: clients3.google.com IN A + (192.168.200.1)
19-Jul-2017 10:11:57.352 client 192.168.200.102#11788: view auth: query: clients4.google.com IN A + (192.168.200.1)
19-Jul-2017 10:11:57.353 client 192.168.200.102#19409: view auth: query: clients4.google.com IN A + (192.168.200.1)
19-Jul-2017 10:12:06.365 client 192.168.200.102#51726: view auth: query: graph.instagram.com IN A + (192.168.200.1)

I could count the queries by parsing the logs though this seems to be somehow inefficient.

Is there any way that bind9 could be queries otherwise to provide such info?

 

Read up on the statistics channel in the BIND manual.

 

-- 

Bob Harold

 

 

Many thanx,

Abi

 

On Wed, Jul 19, 2017 at 12:04 AM, Abi Askushi <[hidden email]> wrote:

This could do.

I just have to get those counters.

 

Thanx,

Abi

 

On Jul 18, 2017 18:37, "Matthew Seaman" <[hidden email]> wrote:

On 07/18/17 16:09, Abi Askushi wrote:
> I am trying to figure out how could I account the DNS traffic generated
> from clients in terms of bytes. My setup is a simple caching DNS with
> several clients querying the DNS server.  I can measure the DNS traffic
> that is generated from the DNS server on the WAN side by using some
> monitoring tool (pmacct) but I am not sure how could I account this traffic
> to the clients that are generating this traffic. By simply monitoring the
> internal DNS traffic from clients I expect to not be accurate since it will
> include also cached responses which do not generate WAN traffic.
>
> Any suggestion how to approach this problem?

The implication of what you're suggesting is that if client A looks up
some address that isn't in the cache, then they will be charged for
that. However, if client B then comes along and looks up the exact same
address shortly afterwards, they'll get a response from cache and so not
be charged.  That seems a bit arbitrary.

Why not charge your clients based simply on the number of queries they
make against your resolver?  You know or can easily find out how many
queries your resolver is handling in total and how much the WAN traffic
that generates is costing you so it should be fairly easy to come up
with a charging scheme based on the average cost per DNS query.

        Cheers,

        Matthew

 

 

 

Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.

Confidentiality Notice: This email (including any attachment) is intended for internal use only. Any unauthorized use, dissemination or copying of the content is prohibited. If you are not the intended recipient and have received this e-mail in error, please notify the sender by email and delete this email and any attachment.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DNS traffic accounting

Matus UHLAR - fantomas
On 22.07.17 21:51, Abi Askushi wrote:
>I was wondering if bind9 can support TPROXY. This would facilate my
>accounting as then all WAN traffic would have the client IP as the source
>IP. ( I have a similar configuration with squid where I was able to account
>the WAN traffic using this trick without having to deal with squid stats
>and cache)

again: why don't you simply traffic between the bind server and clients?


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DNS traffic accounting

Abi Askushi
Because i would like to avoid counting traffic for cached responses. But this is an option also if all other are not easy. 

On Jul 23, 2017 16:19, "Matus UHLAR - fantomas" <[hidden email]> wrote:
On 22.07.17 21:51, Abi Askushi wrote:
I was wondering if bind9 can support TPROXY. This would facilate my
accounting as then all WAN traffic would have the client IP as the source
IP. ( I have a similar configuration with squid where I was able to account
the WAN traffic using this trick without having to deal with squid stats
and cache)

again: why don't you simply traffic between the bind server and clients?


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DNS traffic accounting

Matus UHLAR - fantomas
>> On 22.07.17 21:51, Abi Askushi wrote:
>>> I was wondering if bind9 can support TPROXY. This would facilate my
>>> accounting as then all WAN traffic would have the client IP as the source
>>> IP. ( I have a similar configuration with squid where I was able to
>>> account
>>> the WAN traffic using this trick without having to deal with squid stats
>>> and cache)

>On Jul 23, 2017 16:19, "Matus UHLAR - fantomas" <[hidden email]> wrote:
>> again: why don't you simply traffic between the bind server and clients?

On 23.07.17 16:53, Abi Askushi wrote:
>Because i would like to avoid counting traffic for cached responses. But
>this is an option also if all other are not easy.

will you avoid billing user's traffic just because it was cached?  it's you
who cached it, not the user, you should benefit from that, not them.
(only by reducing costs and resulting lower prices)

this way your clients can pay less money for more traffic just because it
was in the cache already...

and you even spend your time and money to bill them less.

not mentioning that DNS is rarely relevant when counting network traffic.


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DNS traffic accounting

Abi Askushi
Hi Matus,

You have a point and seems that i will do this at the end. I was just wondering if there is another approach from the technical standpoint. Currently I am not accounting DNS at all. It is provided for free. I am accounting all other traffic though (http, etc). Since every byte is important on my setup due to high satellite charges I need to include dns also.  My only concern is that when providing daily traffic reports on the wan side, which already include dns traffic of the server, the dns reported traffic will not tally with the total internal traffic when analyzed and accounted per client, which will include cache that does not consume wan traffic. But I agree, since dns is the minority of traffic, it seems not worth while tackling this as the descrepancy is not expected to be significant.

On Jul 23, 2017 17:20, "Matus UHLAR - fantomas" <[hidden email]> wrote:
On 22.07.17 21:51, Abi Askushi wrote:
I was wondering if bind9 can support TPROXY. This would facilate my
accounting as then all WAN traffic would have the client IP as the source
IP. ( I have a similar configuration with squid where I was able to
account
the WAN traffic using this trick without having to deal with squid stats
and cache)

On Jul 23, 2017 16:19, "Matus UHLAR - fantomas" <[hidden email]> wrote:
again: why don't you simply traffic between the bind server and clients?

On 23.07.17 16:53, Abi Askushi wrote:
Because i would like to avoid counting traffic for cached responses. But
this is an option also if all other are not easy.

will you avoid billing user's traffic just because it was cached?  it's you
who cached it, not the user, you should benefit from that, not them.
(only by reducing costs and resulting lower prices)

this way your clients can pay less money for more traffic just because it
was in the cache already...
and you even spend your time and money to bill them less.

not mentioning that DNS is rarely relevant when counting network traffic.



--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DNS traffic accounting

Abi Askushi
In reply to this post by Bind-Users forum mailing list
Hi Grant,

Thanx for the reply. My intention is not academic but some business case. Let me try to describe it. I have some network appliance sitting on a remote end and using satellite for internet connectivity. The traffic accounting on the wan is already implemented and dns that is consumed from the appliance is reported also. What the end user pays at the end of the day is the volume consumed on the satellite, which is already accuretly calculated as mentioned. The issue only is the dns traffic. I cannot relate with current setup which client did what dns traffic. By client i mean a simple device in the internal network behind the appliance. DNS service is enabled to this client devices only when they login/authenticate with the appliance. As soon as they login, the respective IP becomes a member of a bind9 view that allows recursive queries. Queries drom non authenticated devices are simply refused. Thus i need to account only traffic from the authenticated view. Seems that putting iptables rule on the fly as soon as one logs in can do what i need. 

Thanx,
Abi
 

On Jul 18, 2017 20:43, "Grant Taylor via bind-users" <[hidden email]> wrote:
On 07/18/2017 09:09 AM, Abi Askushi wrote:
I am trying to figure out how could I account the DNS traffic generated from clients in terms of bytes. My setup is a simple caching DNS with several clients querying the DNS server.  I can measure the DNS traffic that is generated from the DNS server on the WAN side by using some monitoring tool (pmacct) but I am not sure how could I account this traffic to the clients that are generating this traffic. By simply monitoring the internal DNS traffic from clients I expect to not be accurate since it will include also cached responses which do not generate WAN traffic.

I'm going to assume that you are doing this for some academic purpose and not going to try to bill based on numbers of queries.  (Others have commented more about the impracticality of this.)

Any suggestion how to approach this problem?

I would be tempted to see if named's query log would cover what you want.  I've not used it before and have no idea if it's granular enough for what you want.

Baring that, I'd be inclined to try IPTables rules to record the bytes that each client has sent to / from the DNS server.

If you absolutely need to correlate client queries to outbound server queries, I think you're probably going to need to capture the traffic and then do some sort of post capture processing to correlate it.  -  I know that you can get tcpdump to do this.  You might be able to get IPTables to copy the traffic and send it to user-space for capture ~> post processing.

Finally, this seems like a strange enough (in my opinion) that I'll ask what the motivation is for this request.  I'm wondering if there is a different way to accomplish the goal without needing to capture this detail.



--
Grant. . . .
unix || die


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Loading...