Use Loki to query top requested domains

[scottmuc]

As part of implementing #76 I was able to get a better idea of the shape and volume of my DNS traffic.

Stats for the last 24hrs

Here's my dnsmasq

And for unbound

Noteworthy Observations

• 14k DNS queries with 11.5k of them being cache misses
• 11.6k are refused response (the response I have configured for my ad-blocking records)
• 6.8k are for HTTPS records, something that's pretty darn new.
• Not 100% sure how to explain the differences in the counts between unbound and dnsmasq.

Todo

• [x] Install loki and add top domains to the dashboard
• [x] Answer the question "which host on my network is making the most DNS queries?"
• [x] Answer the question "what are the top 5 refused DNS queries?"

[scottmuc]

Loki and Promtail installed

The above commits gets me at least this far.

promtail

loki

Not sure how to see fail2ban results from this. Guessing I might need to do some more configuration.

[scottmuc]

Switching DNS frontends

The above commit makes unbound be the first hop for a DNS query. With this configuration it has 3 things it can do with the request (in order of likelihood):

• Perform a full recursive lookup of the query
• Check if it's in the blocklist and return REFUSED
• Check if it's in middle-earth.internal. and forward it to dnsmasq running on port 5353

Now I can see which hosts performed certain queries (this is my Ripe Atlas device):

[1720504961] unbound[269366:0] query: 192.168.2.16 topOLogY6.DyndNs.AtLaS.Ripe.NEt. AAAA IN
[1720504961] unbound[269366:0] reply: 192.168.2.16 topOLogY6.DyndNs.AtLaS.Ripe.NEt. AAAA IN NOERROR 0.045840 0 77

In my dnsmasq logs, I can see that hosts are appending the search domain if the initial query is refused:

2024-07-09T06:36:57.547949+01:00 pippin dnsmasq[269326]: query[A] region1.app-measurement.com.middle-earth.internal from 192.168.2.10
2024-07-09T06:36:57.548913+01:00 pippin dnsmasq[269326]: config region1.app-measurement.com.middle-earth.internal is NXDOMAIN

I can also see what HTTPS requests are looking like (this would happen when I connect to grafana):

2024-07-09T07:05:00.952685+01:00 pippin dnsmasq[269326]: query[HTTPS] _3000._https.pippin.middle-earth.internal from 192.168.2.10
2024-07-09T07:05:00.954117+01:00 pippin dnsmasq[269326]: config _3000._https.pippin.middle-earth.internal is NXDOMAIN
2024-07-09T07:05:00.954774+01:00 pippin dnsmasq[269326]: query[A] pippin.middle-earth.internal from 192.168.2.10
2024-07-09T07:05:00.955408+01:00 pippin dnsmasq[269326]: /etc/hosts pippin.middle-earth.internal is 192.168.2.10

Lastly, the dashboard reveals that dnsmasq doesn't count queries it doesn't forward:

[scottmuc]

First Loki Data in Dashboard

Can't say I full understand what I'm doing but I can take a line in /var/log/unbound/unbound.log that looks like:

[1720637568] unbound[269366:0] reply: 192.168.2.197 ocsp.r2m01.amazontrust.com. HTTPS IN NOERROR 0.034493 0 125

and parse it with:

{dns="reply"} | pattern `<_> <_> <_> <client> <domain> <type> <_> <_> <lookup_time> <cache> <_> `

I can see that the above is powered by the following in my promtail/config.yml

https://github.com/scottmuc/infrastructure/blob/b9b2802aff16960bedb528bbb47faee2f0a72e7c/devices/pippin/root/etc/promtail/config.yml#L25-L29

Now I think I can start thinking about what types of information I want to know from the logs. First ones that come to mind:

• Which hosts on my network make the most dns queries?
• What's the top 10 most requested DNS query?

I don't need a running log of requests like I've pasted above, but it was enough to learn a little bit how the whole system comes together.

[scottmuc]

Success!

Turned out this required more learning how to configure grafana visualizations. Still... I can answer the questions I posed to myself as tasks. With the screenshot below you can answer the following:

• Which host on my network is making the most dns queries?
• What are the most blocked queries?

[scottmuc]

Summary

The dashboard still needs work, but very pleased that I have a facility to inquire more about my DNS traffic. It shows that I have a lot to learn about grafana visualizations. Setting up the log collection, ingestion into loki, and requesting from grafana was the easier part.

Some interesting observations:

• If I ever want to ditch my self-hosted DNS, quad9 seems like an interesting alternative.
• dig TXT o-o.myaddr.l.google.com +short returns your LAN external IP address (and that my Ripe Atlas was querying this).
• PocketCasts and Youtube Music make an order of magnitude more queries (that get refused) more than regular day-to-day driving.
• reinforcement that the Internet is a noisy/messy/chaotic place... and I love it.
• I ought to backup my dashboard JSON files.
• Add things like fail2ban and other /var/log files would be fun... same for nginx logs.
• Performance is a metric that I haven't bothered to look at. Everything seems fast enough so I'm going to remove it from the dashboard.
• Both dnsmasq and unbound are wonderfully flexible. Super easy to configure to alternative configurations.