raspap-webgui icon indicating copy to clipboard operation
raspap-webgui copied to clipboard
verified publisher icon RaspAP

Feature Request: Log Client IP/Hostname for Locally-Resolved DNS Queries in dnsmasq

Open iyushaw opened this issue 5 months ago • 1 comments

Is your feature request related to a problem?

I would like to request the addition of a feature in dnsmasq that enables logging or identification of the specific client (e.g., IP address or hostname) making DNS requests to blocked or locally-resolved domains. Currently, logs such as “using only locally-known addresses for [domain]” provide no visibility into which device initiated the query, which makes it challenging to investigate suspicious or potentially malicious activity, such as repeated requests for domains like zzux.com or zzylos.ddns.net. This enhancement would significantly improve network security monitoring and forensic analysis by allowing administrators to trace DNS queries back to their source.

Describe the solution you'd like

I would like dnsmasq to include the IP address or hostname of the client that makes each DNS request in the log entries—especially when a domain is resolved using only locally-known addresses. This would help identify which device is querying suspicious or unwanted domains, improving network visibility and security monitoring.

Describe alternatives you've considered

I attempted to identify the offending client using Wireshark, but was unable to determine the source due to the volume and nature of the DNS traffic.

Additional context

Add any other context or screenshots about the feature request here.

iyushaw avatar Jul 28 '25 23:07 iyushaw

RaspAP uses log-queries to capture DNS queries. The "extra" and "proto" arguments might give you what you're looking for. You can test this by modifying /etc/dnsmasq.d/090_raspap.conf like so:

# RaspAP default config
log-facility=/var/log/dnsmasq.log
conf-dir=/etc/dnsmasq.d
log-queries=extra

...and restart dnsmasq via the UI or command line.

-q, --log-queries Log the results of DNS queries handled by dnsmasq. Enable a full cache dump on receipt of SIGUSR1. If the argument "extra" is supplied, ie --log-queries=extra then the log has extra information at the start of each line. This consists of a serial number which ties together the log lines associated with an individual query, and the IP address of the requestor. If the argument "proto" is supplied, this shows everything that "extra" does and also the network protocol used to communicate the queries.

billz avatar Jul 31 '25 22:07 billz