Bind's logs
Kevin Darcy
kcd at daimlerchrysler.com
Tue Dec 12 01:40:40 UTC 2006
Michael Milligan wrote:
> Andy Shellam (Mailing Lists) wrote:
>
>> Hi Greg,
>>
>> I log all executed queries on my DNS server as follows...
>>
>
> You seem to imply you have it on all the time... I hope that's not what
> you're advocating. It is not a good idea for admins to do that in
> general as this can bring even a moderately busy name server to its
> knees. Be careful out there.
>
>
YMMV. I've had query logging turned on for all of the internal
nameservers under my control for at least a decade now, without any
performance problems. I take the query statistics, shuffle them off to a
central collection machine, and then crunch them up for analysis and
troubleshooting, particularly security incidents. ISPs may get 1000s of
qps on their servers, but in our enterprise, largely owing to how
distributed our DNS server infrastructure is, and our active
encouragement of local DNS caching on all platforms that support it, we
have only have a few boxes that do more than 10 million or 20 million
over the course of a regular workday (which works out to only about a
couple of hundred qps if that). The vast majority of our boxes' volumes
are much lower than that (like less than 1 million a day). At those
volumes and on modern hardware, the performance impact of the
querylogging overhead is negligible. It ends up actually taking more
*disk*I/O* resources than anything else, which is usually the
least-stressed subsystem for a dedicated DNS server.
One of the benefits of querylogging and associated analysis, which we
have yet to fully realize, is that it highlights any buggy/misbehaving
clients that are consuming inordinate amounts of DNS resources. We often
follow up and get those clients fixed, so the information that
querylogging provides actually *saves* us resources in the long run, as
well as providing more efficient and reliable service to our (internal)
customers. Again, this is probably radically different from the ISP
environment, where I imagine you couldn't get the misbehaving clients
fixed even if you notified the end-users of the problems since, after
all, "that's what I'm paying you for, deal with it"...
- Kevin
More information about the bind-users
mailing list