[dns-operations] Logging queries for BIND DNS server

George Michaelson ggm at apnic.net
Tue Jul 19 22:39:29 UTC 2016


There is a conversation to be had sometime around what % of queries get
logged.

We did some basic analysis, very crude, a few years back, and found that
tcpdump and bind query logs don't agree as to a total query load. Given the
traffic is UDP, its not that surprising but it does mean you have to bear
in mind the log path may be recording queries completed and answered, not
received.

Just because you don't serve it, doesn't mean its not load on your network
card, CPU..

-G

On 20 July 2016 at 02:22, Jim Reid <jim at rfc1035.com> wrote:

>
> > On 19 Jul 2016, at 11:02, Vithalprasad Gaitonde <
> gaitonde.vithalprasad at microsoft.com> wrote:
> >
> > We are trying to understand how query logging is typically deployed in
> BIND DNS server deployments.
>
> So is everyone else. :-)
>
> There probably isn't a typical deployment. Some don't log queries at all.
> Some log to a local file. Others log over the net -- watch for syslogd
> doing reverse lookups of the sending IP address => yet another DNS query to
> log. Sometimes these logs (via syslog or a local file) only get looked at
> after an incident. Others process the logs regularly and generate
> hourly/daily/weekly/whatever reports.
>
> Some organisations take pcap dumps of ALL their DNS traffic. Sometimes
> tools like DSC or hedgehog get used to tap the network interface(s), sample
> DNS traffic and put that sampling data into a database that just grows and
> grows. IIUC dnstap is getting used by those who want real-time response to
> DNS traffic of interest (amongst other things).
>
> There's no one-size-fits-all answer to your question. A documented "best
> practice" for DNS logging seems unlikely too. I've never come across one
> yet. This touches on lots of tricky areas that have different rules in
> different countries and settings: privacy, data protection/retention,
> regulatory requirements, corporate policy, etc, etc.
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160720/72421afb/attachment.html>


More information about the dns-operations mailing list