[Dnsmasq-discuss] Very accurate bandwidth tracking...

Simon Kelley simon at thekelleys.org.uk
Tue May 10 08:06:49 BST 2011 

On 10/05/11 00:03, Ed W wrote:
> Hi, I have a slightly peculiar requirement to track very accurate *per
> user* traffic for a small remote bunch of users.  The internet
> connections these users have available will be some kind of satellite
> telephone with non trivial bandwidth costs and we want to attribute very
> exact costs back on a per user basis. (these kinds of devices have
> running costs circa $10-100/MB)
>
> To do this I'm using a small custom built embedded router, and we will
> use some form of 802.11x or captive portal style user authentication but
> I have one area I need advice on solving:
>
> - Tracking bandwidth *through* "proxies" such dnsmasq.
>
> Basically there isn't an exact match between the flows between dnsmasq
> and the client and dnsmasq and the upstream dns resolver...
>
> I think at least on linux a good solution would be to copy the iptables
> "mark" from an incoming connection and apply it to any outgoing
                           ^^^^^^^^^^
> connections (across the expensive link).  I could then track bandwidth
> by simply tracking on the connection mark and this would watch both
> direct traffic and via the "proxy"?
>
> Squid recently added exactly this to their codebase:
> 	http://bazaar.launchpad.net/~squid/squid/3-trunk/revision/10925
>
> Does someone have an idea on how much effort this would be to implement
> in dnsmasq?  Simon, would you consider a feature request to add such a
> thing?
>
> (Note this could be slightly useful for uses other than my scenario, for
> example more general captive portals tend to be vulnerable to dns
> tunnelling hacks - such a feature would allow dnsmasq to resolve local
> and cached responses, but the firewall can make decisions based on the
> connection mark to allow outbound queries)
>
> Thanks for any thoughts
>

Yes, I would consider such a feature request, and in principle, passing 
information over from incoming DNS requests to outgoing DNS requests is 
quite simple. The pointer to Squid is good, it gives API examples which 
show that this is quite easy. HOWEVER, I think the showstopper is the 
concept of a "connection". The vast majority of DNS traffic runs over 
UDP, so there's no network-level connection to track. You could force 
everything to TCP, but that would be slow, and use more of  your 
precious upsteam bandwidth than is strictly necessary. Have I got this 
wrong somewhere?


Cheers,

Simon.

More information about the Dnsmasq-discuss mailing list