[dns-operations] Access to DNS-Logs

John Kristoff jtk at cymru.com
Tue Jul 14 21:36:34 UTC 2009

On Tue, 14 Jul 2009 22:59:27 +0200
Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:

Hi Stephane, couple additional thoughts to your experience...

> Be careful: in a pcap file, you have the complete data but, in the
> name server log, you have only a small part of it. So, when converting

Indeed and as far as I know most if not all implementations that log
will only log the query, not the answer, so you get at most half the
picture.  Depending on what you're doing, having the query, the answer
or both will be important.

> Pros for built-in logging: 
>  * [Unix] do not need to be root to capture data.
>  * Parsing the data can often be done with a simple PPR script

The name server process presumably has also gone through the trouble of
ensuring what is logged is well formed, otherwise it'll log an error.
Unless you have a good library, you have to interpret and rebuild much
of this from a pcap, sometimes in pieces if a message spans multiple
packets, which can be daunting for the weekend coder.


More information about the dns-operations mailing list