On 11/18/2010 1:36 PM, CT wrote:
I am looking for a best practices for dns query logging
Versions in use on Linux...
- BIND 9.7.1-P2
- BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2
The minimum logging statement in my test named.conf (bind 9.7.1-P2)
logging
{
category lame-servers { null; };
category resolver { null; };
};
which I have tested still allows the dns (default)
to log to /var/log/messages
--
default The default category defines the logging options for
those categories where no specific configuration has
been defined.
--
I have also been made aware that query logging can give a machine up
to a 30% performance hit but also with today's machines it is mostly
negligible..
My question is :
Do folks normally use query logging as a forensic tool or are most
Bind installations done without logging any queries ?
The powers that be seem to think the performance hit outweighs any
forensic benefit...
That's pretty short-sighted, IMO. Query logging allows one to find
misbehaving or misconfigured apps/servers/clients, active worms, etc. By
identifying those bad actors and correcting them, you reduce your query
volumes, usually much more than 30%. So, at the end of the day, what
benefit is there, really, in flying blind about one's query traffic?
Needless to say, we log all queries here. We even have a subsystem that
collects summaries of those query statistics from all of our remote
nameserver into a central repository for further mining/analysis.
- Kevin
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
