[dns-operations] Prevalence of query/response logging?

[John Kristoff]

On Fri, 4 Jul 2014 18:00:48 +0700
Roland Dobbins <rdobbins at arbor.net> wrote:

> I know that some DNS operators disable logging of queries/responses
> due to the overhead of doing so - are most folks on this list with
> large-scale DNS recursive and/or authoritative DNS infrastructure
> disabling logging, enabling it, and/or logging queries/responses
> out-of-band via packet-capture taps, databases, etc.?

I've done all of the above.  I like to think I was one of the earlier
of adopters of enabling query logging at two reasonably large .edu
institutions, which are still enabled as far as I know.  This was for
both authoritative and recursive, but recursive query logs were
generally more interesting and useful to me at the time.

I know a handful of folks who avoided doing query logging and continue
to based on the assumption that it is too resource intensive, which may
be true for some, but is not universally true and less true than I
think many people realize.  I had found syslog-ng was a much better
alternative daemon on both the logging client and collector for a
variety of reasons.  On the client, I had found it to require less of
the CPU than the stock syslog daemon at the time (Linux and Solaris
systems).

pcap-based solutions have been helpful for passive dns style projects,
which tend not to be be strictly for network operations, but more
research and insight oriented tasks.

John