[dns-operations] Prevalence of query/response logging?

Matthias Leisi matthias at leisi.net
Fri Jul 4 19:49:40 UTC 2014


On Fri, Jul 4, 2014 at 1:00 PM, Roland Dobbins <rdobbins at arbor.net> wrote:
> [..] authoritative DNS infrastructure disabling logging, enabling it, and/or
> logging queries/responses out-of-band via packet-capture taps, databases, etc.?

At dnswl.org, we use a dedicated logging on a selection of the
authoritative servers. The logging through libpcap; we keep two bits
of information: the query source IP and the query itself.

In order to reduce the data volume, this data gets aggregated with
counters (ie, ip + count, query + count), regularly written to files
and then sent to a central log collector once in a while for further
aggregation.

This removes the logging overhead from the handling of the DNS
request, although at some CPU cost. We don't care too much if we lose
some data, as long as the data loss is approximately consistent. We
don't need the logs for forensic analysis, but only to get relative
sizes of our users and what they are querying.

(And we don't need or want to know who is querying what, that's why
the data is taken apart and aggregated independently from the start,
consciously destroying the link between the two.)

-- Matthias



More information about the dns-operations mailing list