[dns-operations] Question regarding DNS query logging

John Kristoff jtk at cymru.com
Mon Mar 14 20:21:40 UTC 2011


On Mon, 14 Mar 2011 14:41:55 -0500
Michael Skurka <Michael.Skurka at LCRA.ORG> wrote:

> I'm an Information Security Analyst for an energy company here in
> central Texas.  To date, we've not logged any of our DNS queries.
> We're interested in "opening the fire hose" to do some analysis
> (pretty graphs for management and looking for potential threats, i.e.
> malware trying to "phone home").

Great.  You'll find query logs to be a great first step toward better
understanding what is normal in your network. You'll also likely find
a few oddities you'll be glad you did, but wouldn't likely have found
before.

I have a really hacky named-report.pl script here that I think still
works for current BIND query logs.  It might at least give you that
initial high-level view you've been missing:

  <http://www.cymru.com/jtk/code/named-report.pl>

Warning, I haven't used it seriously since at least 2007.

> We have about 2500 internal workstations and servers that hit our
[...]
> Does anyone in a similar sized company have any estimates (a rough
> ballpark is fine) how much data we'd be looking at collecting on a
> weekly or monthly basis?

This should be very easily manageable with today's technology.  As a
data point, about 6 years ago I was taking remote logs from one of two
primary name servers at a major educational institution.  These servers
at the time were both authoritative and recursive.  Functionality
has since split for reasons unrelated to logged.

I was seeing a about 250 queries per second.  The DNS server servers
were Sun boxes, the model I've since forgotten.  They were using the
stock syslog daemon to send logs to collector.  On the Sun boxes the
CPU would regularly run into the double digits, but in my experience,
a more modern syslog such as syslog-ng tends to run the CPU less hot
unless maybe you start using TCP or crypto.

The collector was running syslog-ng on a pretty beefy box, mainly for
disk storage and also to run various summary and analysis scripts.  It
was a Dell 2U something with a couple of cpus, a few gigs of memory and
a few hundred gigs of disk.  I kept logs for at least 30 days and the
box was collecting logs for a lot of other systems besides those
providing DNS service.

John



More information about the dns-operations mailing list