[Dnsmasq-discuss] Understand logging - didn't find details

Geert Stappers stappers at stappers.nl
Tue Apr 11 19:05:10 UTC 2023 

On Tue, Apr 11, 2023 at 06:21:42PM +0200, webman at manfbraun.de wrote:
> 
> Hello!
> 
> I want to find out the response time from clients request up to dnsmasq's response
> (including the external answer!) to the client. But a look into the logfile - thought, easy
> to make a wrapper, because I am missing dnstap support - wonders me.
> For example, here a short excerpt, omitting the date, I cut out of a contueing block:
> 
> dnsmasq[315]: 86114 192.120.33.206/55020 query[PTR] 155.33.120.192.in-addr.arpa from 192.120.33.206
> dnsmasq[315]: 86114 192.120.33.206/55020 /etc/dnsmasq.d/hosts 192.120.33.155 is proxy.lan.local
> 
> dnsmasq[315]: 86115 192.120.33.206/55020 query[A] stackoverflow.com from 192.120.33206
> dnsmasq[315]: 86115 192.120.33.206/55020 forwarded stackoverflow.com to 208.67.222.222
> dnsmasq[315]: 86115 192.120.33.206/55020 reply stackoverflow.com is 151.101.193.69
> dnsmasq[315]: 86115 192.120.33.206/55020 reply stackoverflow.com is 151.101.65.69
> dnsmasq[315]: 86115 192.120.33.206/55020 reply stackoverflow.com is 151.101.129.69
> dnsmasq[315]: 86115 192.120.33.206/55020 reply stackoverflow.com is 151.101.1.69
> 
> dnsmasq[315]: 86116 192.120.33.206/55020 query[A] alive.github.com from 192.120.33.206
> dnsmasq[315]: 86116 192.120.33.206/55020 forwarded alive.github.com to 77.88.8.8
> dnsmasq[315]: 86116 192.120.33.206/55020 reply alive.github.com is <CNAME>
> dnsmasq[315]: 86116 192.120.33.206/55020 reply live.github.com is 140.82.113.25
> 
> Am I right, that in the second column, is just a sequence number?

AFAIK a counter for a DNS query.



> Then, the first block would be easy to understand and I could use the timedifference (the
> time, were the loglines arrive in my warapper).
> The second block looks like dnsmasq is sending four responses, because of
> stackoverflow has four ip-addresses? Or does this mean, the query (of this second
> block) started at it's first line and was complete(!) at the sixt line and the answer to
> the client was one response packet? At least, the following "sequence" number then
> is logically different.
> The same pattern then is visible in the third block.
> 
> Some comments would help me!

The "counter" is for a **complete**  DNS query.
 - incoming query
 - forward, if forwarded
 - the reply

Use it for grouping queries.

Do known that 
| dnsmasq[315]: 86315 192.120.33.206/55020 query[A] stackoverflow.com from 192.120.33206
| dnsmasq[315]: 86315 192.120.33.206/55020 forwarded stackoverflow.com to 208.67.222.222
| dnsmasq[315]: 86316 192.120.33.206/55020 query[PTR] 155.33.120.192.in-addr.arpa from 192.120.33.206
| dnsmasq[315]: 86316 192.120.33.206/55020 /etc/dnsmasq.d/hosts 192.120.33.155 is proxy.lan.local
| dnsmasq[315]: 86315 192.120.33.206/55020 reply stackoverflow.com is 151.101.193.69
| dnsmasq[315]: 86315 192.120.33.206/55020 reply stackoverflow.com is 151.101.65.69
| dnsmasq[315]: 86315 192.120.33.206/55020 reply stackoverflow.com is 151.101.129.69
| dnsmasq[315]: 86315 192.120.33.206/55020 reply stackoverflow.com is 151.101.1.69
is possible ( 315 query, 316 query, 316 reply, 315 reply )
 

> Thanks so far,

Please, pretty please, find better ways to thank,
to be grateful to a community.


> Manfred


Groeten
Geert Stappers
-- 
Silence is hard to parse

More information about the Dnsmasq-discuss mailing list