[dns-operations] Question regarding DNS query logging

Craig Leres leres at ee.lbl.gov
Mon Mar 14 22:16:45 UTC 2011

On 3/14/2011 3:41 PM, Michael Skurka wrote:
> I'm an Information Security Analyst for an energy company here
> in central Texas.  To date, we've not logged any of our DNS queries.
> We're interested in "opening the fire hose" to do some analysis (pretty
> graphs for management and looking for potential threats, i.e. malware
> trying to "phone home").
> We have about 2500 internal workstations and servers that hit our
> internal DNS servers.  Our external-facing DNS is done off-site and we
> aren't concerned with them at the moment.
> Does anyone in a similar sized company have any estimates (a rough
> ballpark is fine) how much data we'd be looking at collecting on a weekly
> or monthly basis?

We have three main internal servers that handle internal recursive
requests as well as internal/external authoritative requests. We use a
central syslog box and syslog-ng to forward queries only to it; I asked
what our current stats look like:

    From a random average day sample.

    6.0G per day raw, gzipped to 600M.

    48,387,516 queries

    8,856 unique internal clients

    189,424 unique clients


More information about the dns-operations mailing list