[dns-operations] Question regarding DNS query logging

Robert Edmonds edmonds at isc.org
Sat Mar 19 22:08:08 UTC 2011

Fred Morris wrote:
> On Monday 14 March 2011 16:13, Colm MacCárthaigh wrote:
> > It's probably prudent to consider the
> > implications for user privacy, and any relevant jurisdictional or
> > legal data protection issues which arise, before doing this.
> Yes...
> > In some jurisdictions, data protection commissioners, and other
> > regulators, have made it clear that it can be considered a breach of
> > relevant acts.
> Considering the pervasive fact of passive DNS, not much more than prudence. 
> The rule there seems to be not to capture who made the request.

a terminology clarification:

"passive DNS" is not a synonym for "DNS packet capture".  "passive DNS"
is short for "passive DNS replication" [0], i.e. the replication of DNS
zone content, which is typically implemented by examining captured RD=0
DNS packets initiated by the recursive nameserver's resolver.  (florian
refers to this descriptively as "inter-server" DNS traffic.)

i call the capture of RD=1 DNS packets "client monitoring" to
distinguish it from passive DNS replication.  client monitoring can
encompass "query logging", which usually evokes textual logging by the
nameserver rather than packet capture.

the privacy issues inherent in DNS client monitoring are largely
orthogonal to those in passive DNS replication so it's important not to
conflate the two, even though the same binary network message format is
used by both.

[0] http://www.enyo.de/fw/software/dnslogger/#2

Robert Edmonds
edmonds at isc.org

More information about the dns-operations mailing list