Quad9 signals a domain is blocked by returning the NXDOMAIN response code and an AUTHORITY value of 0. More information here: https://support.quad9.net/hc/en-us/articles/360050642431-What-does-a-block-from-Quad9-look-like-
It is not typically trivial to record block events with most DNS forwarders due to the limitation of the response logging capabilities, or lack thereof, in various recursive/forwarding DNS software.
It is possible to monitor for and record blocked domains with the tshark application, which is available on most Linux distributions by installing the tshark application through the appropriate package manager.
This command is used as an example, and can be modified as desired to adjust the output format, output file, etc. Please refer to the manual page for tshark: https://www.wireshark.org/docs/man-pages/tshark.html
Running the command will display the source address (Quad9), destination address (the client), the domain name, and the timestamp.
This will typically be run on the local DNS forwarder server or default gateway (router), though since this has to examine all traffic on a server, it's recommended only to run it on a DNS forwarder server.
sudo tshark -np -i any -q -c 100000 -E separator=, -E quote=n -T fields -e frame.time -e dns.qry.name -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -Y "dns.flags.rcode eq 3 && dns.flags.recavail eq 0" "src net 9.9.9.0/24 or src net 149.112.112.0/24 or src net 2620:fe::0/48"
You can test that it's working by querying for isitblocked.org:
dig isitblocked.org @9.9.9.9
The output of tshark should then be:
Feb 28, 2023 21:57:05.668450028 CET,isitblocked.org,9.9.9.9,,192.168.1.144,
Comments
0 comments
Please sign in to leave a comment.