Feature Request: Log Client IP/Hostname for Locally-Resolved DNS Queries in dnsmasq #1919
Description
Is your feature request related to a problem?
I would like to request the addition of a feature in dnsmasq that enables logging or identification of the specific client (e.g., IP address or hostname) making DNS requests to blocked or locally-resolved domains. Currently, logs such as “using only locally-known addresses for [domain]” provide no visibility into which device initiated the query, which makes it challenging to investigate suspicious or potentially malicious activity, such as repeated requests for domains like zzux.com or zzylos.ddns.net. This enhancement would significantly improve network security monitoring and forensic analysis by allowing administrators to trace DNS queries back to their source.
Describe the solution you'd like
I would like dnsmasq to include the IP address or hostname of the client that makes each DNS request in the log entries—especially when a domain is resolved using only locally-known addresses. This would help identify which device is querying suspicious or unwanted domains, improving network visibility and security monitoring.
Describe alternatives you've considered
I attempted to identify the offending client using Wireshark, but was unable to determine the source due to the volume and nature of the DNS traffic.
Additional context
Add any other context or screenshots about the feature request here.