[Dnsmasq-discuss] Show host names in dnsmasq's log

Discussion:

Dominik Derigs, DL6ER

2018-02-04 17:15:48 UTC

Dear all,

I'm trying to show host names (rather than IP addresses, if available)
in dnsmasq's log for A and AAAA queries, as well as for the forward
destinations, i.e. I want to replace

Feb 4 18:02:22 dnsmasq[14001]: query[A] clients6.google.com from 10.8.0.2
Feb 4 18:02:22 dnsmasq[14001]: forwarded clients6.google.com to 2620:fe::fe

by

Feb 4 18:02:22 dnsmasq[14001]: query[A] clients6.google.com from
android.lan
Feb 4 18:02:22 dnsmasq[14001]: forwarded clients6.google.com to
dns.quad9.net

For doing this, I tried various attempts:

Firstly, I tried a simple approach using gethostbyaddr() to resolve the
IP addresses to host names. Unfortunately, it seems like gethostbyaddr()
cannot be used inside the DNS resolver process itself, as it always
immediately fails with Unknown host (error code 1) for everything (incl.
e.g. 127.0.0.1). I know that this would have some drawbacks (like
causing a PTR request on every logging), but I would have solved them
with various tricks like building my own lookup tables, etc. I tested my
code in a small standalone application and here name resolution works
perfectly.

Secondly, I build a wrapper around dnsmasq's routine
cache_find_by_addr() to query dnsmasq's log for the host name.
Obviously, this has two major drawbacks: This code is kind of cumbersome
(esp. for IPv6) as I first have to format the IPs in the format that is
expected by this routine and secondly that does, of course, only work
for entries that are already in the cache. If a cache entry for
dns.quad9.net is already present (since someone queried that manually),
then this works just fine. However, if nobody did that, then there will
also be no cache entry and there is no result.

My question is now: I would, of course, prefer to use the first version
( using gethostbyaddr() ) but that does not seem to work at all. I'm not
sure if it's maybe related to that a process cannot connect to its own
UDP socket or something, but I'd obviously prefer a rather simple
solution. Any suggestions are highly appreciated.

Best regards,
Dominik

Simon Kelley

2018-02-04 18:23:02 UTC

Permalink

There are two fundamental problems with doing this.

1) The whole architecture of dnsmasq in predicated on not blocking
whilst processing a DNS query, except when it's been punted on to an
upstream nameserver. Doing the reverse-DNS lookup requires blocking.
This problem was solved for DNSSEC (which might have to block whilst
doing subidiary DNS queries) but the solution is not general, and would
be hard to use. It's also only available when DNSSEC is compiled in and
activated.

2) The reverse DNS lookup, assuming you want the DNS to look the same as
the machine running dnsmasq sees, is eventually likely to end up back at
dnsmasq. In processing that query, dnsmasq may need to make another
query, and you could end up with, effectively infinite recursion.

IMHO it's much better to adapt something like logresolve to
post-process the logs.

Cheers,

Simon.

Post by Dominik Derigs, DL6ER
Dear all,
I'm trying to show host names (rather than IP addresses, if available)
in dnsmasq's log for A and AAAA queries, as well as for the forward
destinations, i.e. I want to replace
Feb 4 18:02:22 dnsmasq[14001]: query[A] clients6.google.com from 10.8.0.2
Feb 4 18:02:22 dnsmasq[14001]: forwarded clients6.google.com to 2620:fe::fe
by
Feb 4 18:02:22 dnsmasq[14001]: query[A] clients6.google.com from
android.lan
Feb 4 18:02:22 dnsmasq[14001]: forwarded clients6.google.com to
dns.quad9.net
Firstly, I tried a simple approach using gethostbyaddr() to resolve the
IP addresses to host names. Unfortunately, it seems like gethostbyaddr()
cannot be used inside the DNS resolver process itself, as it always
immediately fails with Unknown host (error code 1) for everything (incl.
e.g. 127.0.0.1). I know that this would have some drawbacks (like
causing a PTR request on every logging), but I would have solved them
with various tricks like building my own lookup tables, etc. I tested my
code in a small standalone application and here name resolution works
perfectly.
Secondly, I build a wrapper around dnsmasq's routine
cache_find_by_addr() to query dnsmasq's log for the host name.
Obviously, this has two major drawbacks: This code is kind of cumbersome
(esp. for IPv6) as I first have to format the IPs in the format that is
expected by this routine and secondly that does, of course, only work
for entries that are already in the cache. If a cache entry for
dns.quad9.net is already present (since someone queried that manually),
then this works just fine. However, if nobody did that, then there will
also be no cache entry and there is no result.
My question is now: I would, of course, prefer to use the first version
( using gethostbyaddr() ) but that does not seem to work at all. I'm not
sure if it's maybe related to that a process cannot connect to its own
UDP socket or something, but I'd obviously prefer a rather simple
solution. Any suggestions are highly appreciated.
Best regards,
Dominik
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Michael Stiemke

2018-02-05 13:03:00 UTC

Permalink

I have modified cache.c to do this.

Output in the log now looks like this:

query[A] v20.vortex-win.data.microsoft.com from 192.168.5.118 = cpu-video
(dhcp)

or

query[AAAA] download.opensuse.org from 192.168.5.10 = emu-deve.xxxx.eu
(static)

If there is interest, I will post the changes.

The modification just loops through the cache table and gets the names from
there - local query originators only of course, these being either static or
dhcp assigned, can be found in there.

best regards,
Michael Stiemke (mailto:***@ansynova.com)

Dominik DL6ER

2018-02-05 13:33:03 UTC

Permalink

Hey Michael and Simon,

Thanks. I already have added a cache lookup myself using dnsmasq's
cache_find_by_addr(). However, this is unsuitable for getting the host
names of the forward servers or if you are not the DHCP server.

How could I trigger a PTR request from within dnsmasq? This will add the
host name to the cache where it will then be available afterwards. I
already use some pthreads for things that should not block so I wouldn't
mind to run the PTRs from therein, where it wouldn't be blocking anything.

Best regards,
Dominik

Post by Michael Stiemke
I have modified cache.c to do this.

query[A] v20.vortex-win.data.microsoft.com from 192.168.5.118 =
cpu-video (dhcp)

or

query[AAAA] download.opensuse.org from 192.168.5.10 = emu-deve.xxxx.eu
(static)

If there is interest, I will post the changes.

The modification just loops through the cache table and gets the names
from there - local query originators only of course, these being
either static or dhcp assigned, can be found in there.

best regards,
**
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Simon Kelley

2018-02-06 18:13:04 UTC

Permalink

Post by Dominik DL6ER
Hey Michael and Simon,
Thanks. I already have added a cache lookup myself using dnsmasq's
cache_find_by_addr(). However, this is unsuitable for getting the host
names of the forward servers or if you are not the DHCP server.
How could I trigger a PTR request from within dnsmasq? This will add the
host name to the cache where it will then be available afterwards. I
already use some pthreads for things that should not block so I wouldn't
mind to run the PTRs from therein, where it wouldn't be blocking anything.

It's not that simple: you can't block because attempting to process
another query will result in the one you were handling being overwritten
in the buffers. Even if you forward the answer first, you still need to
retain enough information to create the log entry once you have the
answer to the PTR record.

Something like:

In the forwarding path, where the logging happens, store the query type
and domain in the forwarding record. Now create a new PTR query and a
new forwarding record which is used to handle the reply. Link the two
together so that when the answer comes in, you can go back to the
original forwarding record and generate the log entry. Worry about if
the answer to the original query returns before the answer to the PTR
query, and frees the forwarding record before you've logged it. Worry
about no answer to the PTR query arriving and garbage collecting the
forwarding record, (and doing a fallback, without domain name, log line).

Cheers,

Simon.

Post by Dominik DL6ER
Best regards,
Dominik

_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Simon Kelley

2018-02-06 18:13:57 UTC

Permalink

That looks useful. Would the denizens of the list like this facility?

Cheers,

Simon.

Post by Michael Stiemke
I have modified cache.c to do this.

query[A] v20.vortex-win.data.microsoft.com from 192.168.5.118 =
cpu-video (dhcp)

or

query[AAAA] download.opensuse.org from 192.168.5.10 = emu-deve.xxxx.eu
(static)

If there is interest, I will post the changes.

The modification just loops through the cache table and gets the names
from there - local query originators only of course, these being either
static or dhcp assigned, can be found in there.

best regards,
**
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss