Unbound Today's DNS Replies Client IP are all 127.0.0.1 - anyway to get the actual lookup host?

[Skywise]

So I've got one of my devices spamming a particular blocked address (google-analytics) and I'm trying to figure out who's doing it. Sure, I could fire up wireshark but why spend 5 minutes when I can waste a few hours trying to get it to show up in the stats page on my router!

I've got DNS Director enabled.
Been digging around this morning to see if there's a way to resolve this - I added a add-subnet=32 to my dnsmasq config as described here https://discourse.pi-hole.net/t/forwarding-dns-request-with-source-ip/51898/2 but it looks like unbound doesn't read the additional data.
Is there any setting on the unbound config I can add to read the additional client IP data?

 

[Crimliar]

Historically when I've used unbound it would have been behind PiHole, but I assume the same would be true of diversion or AGH. So when using a local DNS filter you'd usually have the DNS filter (PiHole/Diversion/AGH) as the service that clients would see, and then have that DNS filter access Unbound. If you are using that setup you'd still be able to see the device making the DNS requests in the logs for the DNS filter - before it gets passed to Unbound. If you are instead going straight to Unbound then https://snippets.khromov.se/enable-logging-of-dns-queries-in-unbound-dns-resolver/ might be of help.

 

[Skywise]

Historically when I've used unbound it would have been behind PiHole, but I assume the same would be true of diversion or AGH. So when using a local DNS filter you'd usually have the DNS filter (PiHole/Diversion/AGH) as the service that clients would see, and then have that DNS filter access Unbound. If you are using that setup you'd still be able to see the device making the DNS requests in the logs for the DNS filter - before it gets passed to Unbound. If you are instead going straight to Unbound then https://snippets.khromov.se/enable-logging-of-dns-queries-in-unbound-dns-resolver/ might be of help.

Thanks - I'm doing that part - but all the dns queries are being logged as 127.0.0.1

 

[bbunge]

dnsmasq is passing queries off to Unbound on loopback address 127.0.0.1. If unbound has a log your answers will be in there.

 

[Skywise]

dnsmasq is passing queries off to Unbound on loopback address 127.0.0.1. If unbound has a log your answers will be in there.

Correct. Which is why I added the add-subnet option to dnsmasq to pass along the IP... But I can't find it there's a config for unbound to recognize that value.

 

[Crimliar]

So would this be the log at /opt/var/log/dnsmasq.log ?
If it's not there, I believe you would add
log-facility=/opt/var/log/dnsmasq.log
to
/etc/dnsmasq/conf