> I would like to hear more about why this is so. We are currently > debating sending query logs to a remote syslog server to enhance some > security tools. We are running BIND 9.6.1-P1 with multithreading enabled > on RHEL 4 (2 dual-core 2.8 GHz Opterons with 1MB cache, 4G of RAM). I > have run some tests and while there is some queries/sec hit, the RTTs > are not terrible.
For small query rates it probably won't matter. However, remote syslog could just about double the number of packets transmitted from your name server. For higher query rates, this likely to be noticeable. You might want to consider running a packet sniffer (tcpdump, wireshark etc) instead, to capture the DNS queries and answers. Advantages: - You get both queries and answers - The actual DNS decoding can be done offline, as needed - If you mirror the traffic from a switch, the whole process can be completely offloaded from the name server - The name server isn't forced to do something it wasn't built for Steinar Haug, Nethelp consulting, sth...@nethelp.no _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users