[dns-operations] Access to DNS-Logs
Stephane Bortzmeyer
bortzmeyer at nic.fr
Tue Jul 14 20:59:27 UTC 2009
On Mon, Jul 13, 2009 at 07:21:04PM +0200,
Enno Lenze <lenze at et.rub.de> wrote
a message of 24 lines which said:
> So no matter if the admin is pcapping his nameserver, or has turned
> on logs for his Bind/Powerdns/etc. he will be able to use the tool.
Be careful: in a pcap file, you have the complete data but, in the
name server log, you have only a small part of it. So, when converting
it to a database, a lot of columns will be NULL. This means that any
application using the data will have to live with the fact that many
fields are missing.
> Surely I would first have to check the pros/cons of using the pcapping
> solution over using the built-in logging.
Pros for built-in logging:
* [Unix] do not need to be root to capture data.
* Parsing the data can often be done with a simple PPR script
Cons for built-in logging:
* Slows down the name server. Also, the capture is done on the name
server itself (with pcap, another host can do the capture, with
Ethernet port mirroring)
* Output is software dependant so switching from BIND to NSD will be
problematic
* Only some fields of the packet are logged
Pros and cons for pcapping are the opposite.
More information about the dns-operations
mailing list