On 7/22/2017 ,7:33 AM, Mick Lee<lmick5...@gmail.com> wrote:
Hi Guys, Can anyone offer any advice based on their experience? Thanks Mick On 19 Jul 2017 2:16 p.m., "Mick Lee"<lmick5...@gmail.com> wrote: Hi All, I wonder if I could get some advice and guidance based on everyones experience. I have a mix of pre-compiled versions of BIND on Linux (can't change or re-compiled I'm afraid) and Windows DNS, and I have a need to log DNS queries from about 100 or so of these types of servers, to identify queries to specific domains, and to be able to go back through and search for queries to domains which we now know to be bad. I am currently using query logging on Linux, and Syslog to move the data around, and simple regex matching to look for domains, but I need to get the data from Windows servers and the current tooling is not performant/scalable. I could just enable Windows DNS logging and try to get the files from the servers somehow, but from what I remember there are issues around log file rotation and the potential for data loss there. One of my colleagues suggested sending the DNS queries to the Windows event log, but I am not sure I can even do that, and I am worried about the impact too - there are approx. 10,000 DNS qps across all servers in total. Should I be looking at some off the shelve software (although I don't have a lot of budget), what would even do this, or is there some open source tool that would do the job (I have some scripting ability) - I'm quite open to any ideas? Any advice or guidance anyone can offer would be greatly appreciated. (I know each environment is different, so apologies if I have left any important detail out, please point this out if so and I will try to fill in the gaps) Many Thanks Mick
The last time I looked at MS Windows DNS logging (6 years ago), it was not useful. I could specify the max size of the log, and when that max size was reached, the log file was cleared, and a new log file started. I was logging everything, and the 50Mb log file filled up about every 1.5 days. So, frequently the log file was cleared in the middle of the night, erasing what evidence I wanted to preserve. I remember asking MS to implement a real syslog facility where old log files would be saved. I have no idea if MS ever implemented better DNS logging. --Barry Finkel _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
