On 10/05/11 00:03, Ed W wrote:
Hi, I have a slightly peculiar requirement to track very accurate *per
user* traffic for a small remote bunch of users. The internet
connections these users have available will be some kind of satellite
telephone with non trivial bandwidth costs and we want to attribute very
exact costs back on a per user basis. (these kinds of devices have
running costs circa $10-100/MB)
To do this I'm using a small custom built embedded router, and we will
use some form of 802.11x or captive portal style user authentication but
I have one area I need advice on solving:
- Tracking bandwidth *through* "proxies" such dnsmasq.
Basically there isn't an exact match between the flows between dnsmasq
and the client and dnsmasq and the upstream dns resolver...
I think at least on linux a good solution would be to copy the iptables
"mark" from an incoming connection and apply it to any outgoing
^^^^^^^^^^
connections (across the expensive link). I could then track bandwidth
by simply tracking on the connection mark and this would watch both
direct traffic and via the "proxy"?
Squid recently added exactly this to their codebase:
http://bazaar.launchpad.net/~squid/squid/3-trunk/revision/10925
Does someone have an idea on how much effort this would be to implement
in dnsmasq? Simon, would you consider a feature request to add such a
thing?
(Note this could be slightly useful for uses other than my scenario, for
example more general captive portals tend to be vulnerable to dns
tunnelling hacks - such a feature would allow dnsmasq to resolve local
and cached responses, but the firewall can make decisions based on the
connection mark to allow outbound queries)
Thanks for any thoughts
Yes, I would consider such a feature request, and in principle, passing
information over from incoming DNS requests to outgoing DNS requests is
quite simple. The pointer to Squid is good, it gives API examples which
show that this is quite easy. HOWEVER, I think the showstopper is the
concept of a "connection". The vast majority of DNS traffic runs over
UDP, so there's no network-level connection to track. You could force
everything to TCP, but that would be slow, and use more of your
precious upsteam bandwidth than is strictly necessary. Have I got this
wrong somewhere?
Cheers,
Simon.
