BIND and Windows DNS logging and archiving

Barry S. Finkel bsfinkel at att.net
Sun Jul 23 02:21:07 UTC 2017 

On 7/22/2017 ,7:33 AM, Mick Lee<lmick5455 at gmail.com> wrote:

> Hi Guys,
> 
> Can anyone offer any advice based on their experience?
> 
> Thanks
> 
> Mick
> 
> On 19 Jul 2017 2:16 p.m., "Mick Lee"<lmick5455 at gmail.com>  wrote:
> 
> Hi All,
> 
> I wonder if I could get some advice and guidance based on everyones
> experience.
> 
> I have a mix of pre-compiled versions of BIND on Linux (can't change or
> re-compiled I'm afraid) and Windows DNS, and I have a need to log DNS
> queries from about 100 or so of these types of servers, to identify queries
> to specific domains, and to be able to go back through and search for
> queries to domains which we now know to be bad.
> 
> I am currently using query logging on Linux, and Syslog to move the data
> around, and simple regex matching to look for domains, but I need to get
> the data from Windows servers and the current tooling is not
> performant/scalable.
> 
> I could just enable Windows DNS logging and try to get the files from the
> servers somehow, but from what I remember there are issues around log file
> rotation and the potential for data loss there.  One of my colleagues
> suggested sending the DNS queries to the Windows event log, but I am not
> sure I can even do that, and I am worried about the impact too - there are
> approx. 10,000 DNS qps across all servers in total.
> 
> Should I be looking at some off the shelve software (although I don't have
> a lot of budget), what would even do this, or is there some open source
> tool that would do the job (I have some scripting ability) - I'm quite open
> to any ideas?
> 
> Any advice or guidance anyone can offer would be greatly appreciated.
> 
> (I know each environment is different, so apologies if I have left any
> important detail out, please point this out if so and I will try to fill in
> the gaps)
> 
> Many Thanks
> 
> Mick

The last time I looked at MS Windows DNS logging (6 years ago),
it was not useful.  I could specify the max size of the log,
and when that max size was reached, the log file was cleared,
and a new log file started.  I was logging everything, and the
50Mb log file filled up about every 1.5 days.  So, frequently
the log file was cleared in the middle of the night, erasing
what evidence I wanted to preserve.  I remember asking MS
to implement a real syslog facility where old log files
would be saved.  I have no idea if MS ever implemented better
DNS logging.

--Barry Finkel

More information about the bind-users mailing list