BIND and Windows DNS logging and archiving
Barry S. Finkel
bsfinkel at att.net
Sun Jul 23 02:21:07 UTC 2017
On 7/22/2017 ,7:33 AM, Mick Lee<lmick5455 at gmail.com> wrote:
> Hi Guys,
>
> Can anyone offer any advice based on their experience?
>
> Thanks
>
> Mick
>
> On 19 Jul 2017 2:16 p.m., "Mick Lee"<lmick5455 at gmail.com> wrote:
>
> Hi All,
>
> I wonder if I could get some advice and guidance based on everyones
> experience.
>
> I have a mix of pre-compiled versions of BIND on Linux (can't change or
> re-compiled I'm afraid) and Windows DNS, and I have a need to log DNS
> queries from about 100 or so of these types of servers, to identify queries
> to specific domains, and to be able to go back through and search for
> queries to domains which we now know to be bad.
>
> I am currently using query logging on Linux, and Syslog to move the data
> around, and simple regex matching to look for domains, but I need to get
> the data from Windows servers and the current tooling is not
> performant/scalable.
>
> I could just enable Windows DNS logging and try to get the files from the
> servers somehow, but from what I remember there are issues around log file
> rotation and the potential for data loss there. One of my colleagues
> suggested sending the DNS queries to the Windows event log, but I am not
> sure I can even do that, and I am worried about the impact too - there are
> approx. 10,000 DNS qps across all servers in total.
>
> Should I be looking at some off the shelve software (although I don't have
> a lot of budget), what would even do this, or is there some open source
> tool that would do the job (I have some scripting ability) - I'm quite open
> to any ideas?
>
> Any advice or guidance anyone can offer would be greatly appreciated.
>
> (I know each environment is different, so apologies if I have left any
> important detail out, please point this out if so and I will try to fill in
> the gaps)
>
> Many Thanks
>
> Mick
The last time I looked at MS Windows DNS logging (6 years ago),
it was not useful. I could specify the max size of the log,
and when that max size was reached, the log file was cleared,
and a new log file started. I was logging everything, and the
50Mb log file filled up about every 1.5 days. So, frequently
the log file was cleared in the middle of the night, erasing
what evidence I wanted to preserve. I remember asking MS
to implement a real syslog facility where old log files
would be saved. I have no idea if MS ever implemented better
DNS logging.
--Barry Finkel
More information about the bind-users
mailing list