|
| 1 | +====================== |
| 2 | +Reporting: Unbound DNS |
| 3 | +====================== |
| 4 | + |
| 5 | +Starting from OPNsense 23.1, users are able to gain insight into DNS traffic passing through their Unbound DNS resolver |
| 6 | +using the reporting tool under :menuselection:`Reporting --> Unbound DNS`. |
| 7 | + |
| 8 | +All data presented here is kept on the system for a total of 7 days, creating a rolling window into DNS traffic without |
| 9 | +allowing the system to take up boundless storage space. |
| 10 | + |
| 11 | +------------------------- |
| 12 | +Overview |
| 13 | +------------------------- |
| 14 | + |
| 15 | +The overview tab shows high-level DNS traffic data. |
| 16 | + |
| 17 | +**Counters** |
| 18 | + |
| 19 | +* The total amount of queries Unbound has handled, starting from the moment as reported above the counters. |
| 20 | + This will either be from the moment the gathering of statistics has been enabled, or up until the last 7 days. |
| 21 | + Keep in mind that the counter is as seen from the incoming side, and will increase regardless of the type |
| 22 | + of response returned. |
| 23 | +* The amount of queries Unbound has successfully resolved. This counter does not distinguish between forwards or |
| 24 | + recursion, and excludes every other response type, such as responses from cache, local-data or a local policy |
| 25 | + such as a blocklist. |
| 26 | +* The amount of queries Unbound has blocked. This is either because a queried domain was part of a blocklist, |
| 27 | + or part of a user-configured exact match as configured in :menuselection:`Services --> Unbound DNS --> Blocklist`. |
| 28 | +* The size of the current blocklist (if any). This will equal the total amount of domains listed inside all the |
| 29 | + active blocklists. |
| 30 | + |
| 31 | +Every query counter shows the percentage as part of to the total amount of queries. |
| 32 | + |
| 33 | +.. Note:: |
| 34 | + |
| 35 | + Adding up both the blocked and resolved queries does not equal the total amount, since the amount of |
| 36 | + responses from cache, local-data and other possible sources such as Unbound itself on e.g. a SERVFAIL are not |
| 37 | + shown. |
| 38 | + |
| 39 | + |
| 40 | +**Graphs** |
| 41 | + |
| 42 | +Also included in the report are two DNS traffic graphs, the first one being the query graph, and the second one |
| 43 | +being the client graph. Both graphs show the amount of **incoming** queries over a selectable span of time. |
| 44 | +The query graph also shows the amount of blocked queries. You can hover over the dots in the client graph |
| 45 | +to see which client it is, as well as the amount of queries associated with this client. |
| 46 | + |
| 47 | +Both the query and client graph have the option to display the data on a logarithmic scale in order to catch outliers |
| 48 | +properly while preserving your perspective of the normal flow of traffic. |
| 49 | + |
| 50 | +**Top domains** |
| 51 | + |
| 52 | +On the bottom of the page the top 10 of both passed and blocked queries are shown. This includes the amount a domain |
| 53 | +has been requested, as well as a percentage of passed or blocked requests respectively. If you have blocklists enabled, |
| 54 | +you are also able to explicitly block or whitelist a specific domain from this top list with the click of a button. |
| 55 | +The relevant domains will show up in :menuselection:`Services --> Unbound DNS --> Blocklist`, under "Whitelist Domains" |
| 56 | +or "Blocklist Domains". |
| 57 | + |
| 58 | +------------------------- |
| 59 | +Details |
| 60 | +------------------------- |
| 61 | + |
| 62 | +The details tab shows a livefeed of **completed** queries along with reply information. |
| 63 | +You can refresh the list by clicking the refresh button on the top right of the screen. In it you can find: |
| 64 | + |
| 65 | +* Which client queried which domain with its associated DNS record type. |
| 66 | +* The action taken by Unbound, this can either be pass, block or drop. The latter only occurs when a query could |
| 67 | + not be serviced due to an internal error. |
| 68 | +* The source of the response. This can be either Recursion, Local, Local-data or cache. Local refers to a decision |
| 69 | + made by Unbound to either block or drop the query. Local-data refers to the custom host overrides and its associated |
| 70 | + aliases. |
| 71 | +* The return code of the DNS query. Refer to the |
| 72 | + `IANA DNS Parameters <https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6>`__ |
| 73 | + for its meaning. |
| 74 | +* If recursion is involved, how long in milliseconds it took to resolve a domain. |
| 75 | +* The TTL of the final answer. Answers from recursion will always contain an upstream-defined TTL value, while |
| 76 | + answers from cache will show a snapshot of the remaining cache TTL value before recursion would have to take place again. |
| 77 | + Please note that TTL behaviour can be largely dependent on the settings used in :menuselection:`Services --> Unbound DNS --> Advanced`. |
| 78 | +* The blocklist used if a query was blocked. |
| 79 | +* Either a block or whitelist action button, which can be used in the same way as described above for the "Top domains" in the |
| 80 | + overview section. Please note that this column will not appear if blocklists are disabled. |
0 commit comments