-2

We registered a domain name (say 'example.com') and what we want is to see who is trying to resolve the domain name and what kind of requests he send to the web server of that domain name.

For this purpose, we set up a name server and collect the logs of BIND to find out who is querying the name server to resolve 'example.com' (we don't care about the cases where people resolve the domain name by the cached data in the recursive resolvers). We also collect the logs of Apache web server. But the problem is that we can not find out which DNS request corresponds to which web-server request?

To map these two logs together, I was thinking of creating a random subdomain and return it as the CNAME of example.com for each DNS request and then config Apache to redirect all those subdomains to 'example.com' main page. so if that specific subdomain is requested by somebody, I know what is the corresponding DNS query.

Is it the right way of doing this? Is there any other way to do that?

I appreciate any thought or ideas.

Alex
  • 159

1 Answers1

5

You can not correlate on the IP address.

It is because your authoritative nameserver is queried by recursive nameservers, not by end clients directly. So you will get the IP address of the last recursive (they can be chained) nameservers used by the client.

Even with the EDNS Subnet Client option you will get at best a block of IP, not the true client IP.

Same way, on the HTTP front, your webserver is not necessarily contacted by the client directly, he can go through a proxy.

I already replied to your other question tied to that one with some hints: Can we update CNAME per request? See especially the last paragraph and all studies done by Geoff Huston.

You have thus another way: just give everyone www.example.com but insert in the content some dynamic thing (either a 1x1 pixels image, or a link to a CSS or JS file), with some unique token in the hostname part. This can be tied on your nameservers with a wildcard. Without any CNAME you will then be able to easily correlate the access:

  • some client go to http://www.example.com/
  • in the reply the webserver adds a <img src="https://eecahquai5thuu9ji0iepha.tracking.example.net"> and records that in its logfile (so this ties the unique token with the current HTTP exchange)
  • configure authoritative nameservers of tracking.example.net (I recommend you using a separate zone just for zone, as otherwise wildcards can be full of surprises) to have a wildcard record; you will then have in your nameserver logfiles this unique token and the associated DNS data (IP of the recursive resolver, etc.)
  • (and to be a proper netizen) configure indeed a webserver replying on this address with a proper ressource and content-type, even if it is only a 1x1 pixel transparent image.
Patrick Mevzek
  • 10,581
  • 7
  • 35
  • 45