Logging source port and Query-ID

W.C.A. Wijngaards wouter at nlnetlabs.nl
Fri Sep 16 18:27:56 UTC 2016


Hi Lorenzo,

Use log-queries: yes and with the patch below it then looks like this
in the log: info: e96a ::1 at 57367 www.nlnetlabs.nl. A IN


Index: daemon/worker.c
===================================================================
--- daemon/worker.c	(revision 3862)
+++ daemon/worker.c	(working copy)
@@ -857,8 +857,11 @@
 	}
 	if(worker->env.cfg->log_queries) {
 		char ip[128];
+		char extended[256];
+		uint16_t port = ntohs(((struct sockaddr_in*)&repinfo->addr)->sin_port);
 		addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip));
-		log_nametypeclass(0, ip, qinfo.qname, qinfo.qtype, qinfo.qclass);
+		snprintf(extended, sizeof(extended), "%4.4x %s@%d",
(unsigned)LDNS_ID_WIRE(sldns_buffer_begin(c->buffer)), ip, (int)port);
+		log_nametypeclass(0, extended, qinfo.qname, qinfo.qtype, qinfo.qclass);
 	}
 	if(qinfo.qtype == LDNS_RR_TYPE_AXFR ||
 		qinfo.qtype == LDNS_RR_TYPE_IXFR) {


Best regards, Wouter

On 16/09/16 09:32, Lorenzo Mainardi via Unbound-users wrote:
> Hello to all,
> 
> how can I log source port and Query-ID?
> 
> It would be perfect have it to detect some kind of attacks.
> 
> Regards
> 
> 
> 
> * *
> 
> *dig**it**el*
> 
> 
> 
> Via della Fortezza 6 - 50129 Firenze
> 
> www.digitelitalia.com <http://www.digitelitalia.com/> - 800 901
> 669
> 
> 
> 
> Ing. Lorenzo Mainardi//
> 
> 
> 
> Tel +39 055 4624933
> 
> Fax +39 055 4624 947
> 
> lom at digitelitalia.com <mailto:lom at digitelitalia.com>
> 
> 
> 
> 
> 




More information about the Unbound-users mailing list