Closed helixzz closed 1 year ago
Thank to report that. It should works, I will check if I reproduce in my side.
After some checks, it is the expected behavior regarding your config, GeoIP lookup cannot be performed because
After some checks, it is the expected behavior regarding your config, GeoIP lookup cannot be performed because
- the source IP is missing in FORWARDER_QUERY messages (unbound does not send this information)
- for CLIENT_QUERY, the source IP is an IP address located in private network
Thank you very much! My log output pasted above may not be a good example. My initial purpose was not only add GeoIP information for client IPs, but also (more importantly) the targets (e.g. answered IPs in A/AAAA records) of the queries. This is for statistical needs to check the where the domains (sites) are that users access. Is this possible?
Yes it's possible.
You can add resolved IP in JSON mode ( resource-records
item) or in text mode with the directive answer
.
https://github.com/dmachard/go-dns-collector/blob/main/example-config/use-case-3.yml
Hi everyone.
I'm using the latest release version 0.25.0-beta1 (from GitHub releases) along with Unbound 1.13.1 (from Ubuntu APT) act as a forwarder and cacher for our team. I'm using fluentd as the output pipe and do some sort of field hacks (that's another story), and eventually put all DNS logs into an elasticsearch instance.
In short, the problem occurs as I'm planning to add GeoIP statistics for our DNS logs. I'm using mmdb files from GeoLite repository, and the startup logs of go-dns-collector shows that the GeoIP databases seemes loaded correctly. However, I can't find any recognized ASNs, country codes, or cities in the output stream, no matter I'm using text output nor fluentd output.
Here shows my go-dns-collector configuration.
Here's my Unbound configuration related to DNSTAP:
Here're startup logs of go-dns-collector.
Well, here's some text output of actual DNSTAP messages being parsed.
Interestingly, from the output I noticed there is no "AA" nor "answer" field has been displayed. So what field does dnstap-collector takes to resolve GeoIP information? Is this a problem with Unbound?