[dns-operations] Access to DNS-Logs

Stephane Bortzmeyer bortzmeyer at nic.fr
Tue Jul 14 20:59:27 UTC 2009

On Mon, Jul 13, 2009 at 07:21:04PM +0200,
 Enno Lenze <lenze at et.rub.de> wrote 
 a message of 24 lines which said:

> So no matter if the admin is pcapping his nameserver, or has turned
> on logs for his Bind/Powerdns/etc. he will be able to use the tool.

Be careful: in a pcap file, you have the complete data but, in the
name server log, you have only a small part of it. So, when converting
it to a database, a lot of columns will be NULL. This means that any
application using the data will have to live with the fact that many
fields are missing.

> Surely I would first have to check the pros/cons of using the pcapping
> solution over using the built-in logging.

Pros for built-in logging: 
 * [Unix] do not need to be root to capture data.
 * Parsing the data can often be done with a simple PPR script

Cons for built-in logging:
 * Slows down the name server. Also, the capture is done on the name
 server itself (with pcap, another host can do the capture, with
 Ethernet port mirroring)
 * Output is software dependant so switching from BIND to NSD will be
 * Only some fields of the packet are logged 

Pros and cons for pcapping are the opposite.

More information about the dns-operations mailing list