[dns-operations] Question regarding DNS query logging
Craig Leres
leres at ee.lbl.gov
Mon Mar 14 22:16:45 UTC 2011
On 3/14/2011 3:41 PM, Michael Skurka wrote:
> I'm an Information Security Analyst for an energy company here
> in central Texas. To date, we've not logged any of our DNS queries.
> We're interested in "opening the fire hose" to do some analysis (pretty
> graphs for management and looking for potential threats, i.e. malware
> trying to "phone home").
>
> We have about 2500 internal workstations and servers that hit our
> internal DNS servers. Our external-facing DNS is done off-site and we
> aren't concerned with them at the moment.
>
> Does anyone in a similar sized company have any estimates (a rough
> ballpark is fine) how much data we'd be looking at collecting on a weekly
> or monthly basis?
We have three main internal servers that handle internal recursive
requests as well as internal/external authoritative requests. We use a
central syslog box and syslog-ng to forward queries only to it; I asked
what our current stats look like:
From a random average day sample.
6.0G per day raw, gzipped to 600M.
48,387,516 queries
8,856 unique internal clients
189,424 unique clients
Craig
More information about the dns-operations
mailing list