On 11/18/2010 12:19 PM, Kevin Darcy wrote:
On 11/18/2010 1:36 PM, CT wrote:
I am looking for a best practices for dns query logging
Versions in use on Linux...
- BIND 9.7.1-P2
- BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2
The minimum logging statement in my test named.conf (bind 9.7.1-P2)
logging
{
category lame-servers { null; };
category resolver { null; };
};
which I have tested still allows the dns (default)
to log to /var/log/messages
--
default The default category defines the logging options for
those categories where no specific configuration has
been defined.
--
I have also been made aware that query logging can give a machine up
to a 30% performance hit but also with today's machines it is mostly
negligible..
My question is :
Do folks normally use query logging as a forensic tool or are most
Bind installations done without logging any queries ?
The powers that be seem to think the performance hit outweighs any
forensic benefit...
That's pretty short-sighted, IMO. Query logging allows one to find
misbehaving or misconfigured apps/servers/clients, active worms, etc. By
identifying those bad actors and correcting them, you reduce your query
volumes, usually much more than 30%. So, at the end of the day, what
benefit is there, really, in flying blind about one's query traffic?
Needless to say, we log all queries here. We even have a subsystem that
collects summaries of those query statistics from all of our remote
nameserver into a central repository for further mining/analysis.
Query logging also undermines the privacy of your users. There may even
be applicable state and federal laws regulating the storage of
information that can link users to site's they've visited.
--
Russell A Jackson <r...@csub.edu>
Network Analyst
California State University, Bakersfield
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
