On 09/02/2022 14:07, Thib D via dns-stats-users wrote:

Hello,

I am having trouble understanding what these options are accomplishing and how to use them to only capture outgoing AXFR queries

Shouldn't either one of these do the job ?

accept-rr-types=AXFR or ignore-rr-type=<rrtype>  for each rrtype?

After using inspector to display all of the logged queries in the cdns file, I am still able to see every other query of any rrtype.

What am I using wrong here ?

Hi Thibaud, These particular options control which RR fields are recorded into the C-DNS data for a particular message *after* that message is captured. They do not filter the captured messages based on the RRTYPE of the first Question in the Query (which I think is what you were expecting)? The corresponding --accept-opcode options do result in messages that don't meet the filter being discarded and I can see the documentation is a little ambiguous and makes the 2 options seem more similar than they are. (If you are interested you can have a look at https://datatracker.ietf.org/doc/html/rfc8618#section-6.2.2 to see the distinction in the C-DNS specification.) The trick to the kind of filtering I think you want with the current compactor is to use the 'filter' option which accepts a pcap_filter expression. I'm afraid you'll have to do a bit of wrangling with the BFP filter syntax to figure out how to capture just XFRs. In principle we could add such a filter feature into compactor, but it isn't a use case we've been asked about before (the filter workaround is enough for most cases). For now, I've opened an issue to improve the documentation on this in the User Guide and sample config file: https://github.com/dns-stats/compactor/issues/80 Hope this helps Sara.