[dns-stats-users] accept / ignore-rr-type options,
Sara Dickinson
sara at sinodun.com
Thu Feb 10 18:03:13 UTC 2022
On 09/02/2022 14:07, Thib D via dns-stats-users wrote:
> Hello,
>
> I am having trouble understanding what these options are accomplishing
> and how to use them to only capture outgoing AXFR queries
>
> Shouldn't either one of these do the job ?
>
> accept-rr-types=AXFR
> or
> ignore-rr-type=<rrtype> for each rrtype?
>
> After using inspector to display all of the logged queries in the cdns
> file, I am still able to see every other query of any rrtype.
>
> What am I using wrong here ?
>
Hi Thibaud,
These particular options control which RR fields are recorded into the
C-DNS data for a particular message *after* that message is captured.
They do not filter the captured messages based on the RRTYPE of the
first Question in the Query (which I think is what you were expecting)?
The corresponding --accept-opcode options do result in messages that
don't meet the filter being discarded and I can see the documentation is
a little ambiguous and makes the 2 options seem more similar than they
are. (If you are interested you can have a look at
https://datatracker.ietf.org/doc/html/rfc8618#section-6.2.2 to see the
distinction in the C-DNS specification.)
The trick to the kind of filtering I think you want with the current
compactor is to use the 'filter' option which accepts a pcap_filter
expression. I'm afraid you'll have to do a bit of wrangling with the BFP
filter syntax to figure out how to capture just XFRs. In principle we
could add such a filter feature into compactor, but it isn't a use case
we've been asked about before (the filter workaround is enough for most
cases).
For now, I've opened an issue to improve the documentation on this in
the User Guide and sample config file:
https://github.com/dns-stats/compactor/issues/80
Hope this helps
Sara.
More information about the dns-stats-users
mailing list