[dns-operations] Access to DNS-Logs
John Kristoff
jtk at cymru.com
Tue Jul 14 21:36:34 UTC 2009
On Tue, 14 Jul 2009 22:59:27 +0200
Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
Hi Stephane, couple additional thoughts to your experience...
> Be careful: in a pcap file, you have the complete data but, in the
> name server log, you have only a small part of it. So, when converting
Indeed and as far as I know most if not all implementations that log
will only log the query, not the answer, so you get at most half the
picture. Depending on what you're doing, having the query, the answer
or both will be important.
> Pros for built-in logging:
> * [Unix] do not need to be root to capture data.
> * Parsing the data can often be done with a simple PPR script
The name server process presumably has also gone through the trouble of
ensuring what is logged is well formed, otherwise it'll log an error.
Unless you have a good library, you have to interpret and rebuild much
of this from a pcap, sometimes in pieces if a message spans multiple
packets, which can be daunting for the weekend coder.
John
More information about the dns-operations
mailing list