AFAIK you are correct that the data is not currently in the ISC supplied statistics.
HOWEVER, if you are not opposed to rolling your own, have you looked at dnstap? The raw data is all there for what you asked for. I hacked the attached script. It runs on my test system, but YMMV output: 17-Sep-2024 DOT 7726 5.9% 17-Sep-2024 TCP 288 0.2% 17-Sep-2024 UDP 122478 93.9% Regards! Paranoid ---------- Forwarded message --------- From: John W. Blue via bind-users <bind-users@lists.isc.org> Date: Tue, Sep 17, 2024 at 4:00 PM Subject: RE: Logging with Unencrypted DNS, DoT and DoH To: bind-users@lists.isc.org <bind-users@lists.isc.org> Ralph, You already may be aware of the BIND webinar’s put on by ISC and presented by Carsten: https://www.isc.org/docs/BIND_9webinar2.pdf https://www.youtube.com/watch?v=7Uu6XvY68SM If not, spend some time watching the video and would like to point out that slide 12 lists several COTS vendors that are able to consume the named.stats output. John *From:* bind-users [mailto:bind-users-boun...@lists.isc.org] *On Behalf Of *Bischof, Ralph F. (MSFC-IS64)[AEGIS] via bind-users *Sent:* Tuesday, September 17, 2024 3:40 PM *To:* bind-users@lists.isc.org *Subject:* Logging with Unencrypted DNS, DoT and DoH Hello, BIND 9.18.7 RHEL 8.10 (Oopta) I am being asked if it is possible to differentiate the percentage of queries coming into a server that are unencrypted, DoT and DoH. Example: For a given 24 hours, 50% were 53, 25% were 853 and 25% were 443. I cannot find a difference in the query logs to show how the query came into the server. My only thought at the moment is to run ‘tcpdump’ on all of the servers and script something. Is there some way that I just have not found within BIND? My apologies if this has been asked previously. Thank you, *Ralph F. Bischof, Jr. |* *Leidos* DDI Service Architect Digital Modernization Sector ralph.bisc...@nasa.gov | www.leidos.com <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.leidos.com%2F&data=05%7C02%7Cralph.bischof%40nasa.gov%7Cffe474bf7c714c8a913b08dc4cd7972f%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C638469736078828844%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=TZSJjHnaQPPBBZUTk8LGL0RNQjcuxrhzmmxzDNuy7q0%3D&reserved=0> +1 (256) 682-9145 *M* -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- paranoid sysadmin
qnd_dnstap_extract.sh
Description: Binary data
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
