logging query results

[Bill Larson]

JINMEI Tatuya / $B?@L at C#:H(B <Jinmei_Tatuya at isc.org> said:

> At Fri, 28 Nov 2008 10:08:34 -0800,
> wes <bind at the-wes.com> wrote:
> 
> > I would like to know if it's possible to log the output of each dns query.
> 
> Do you mean the response to each query by "output"?
> 
> If so, there's currently no such log messages regardless of log level.
> 
> We may implement it in the future as we discussed in a different thread:
> https://lists.isc.org/pipermail/bind-users/2008-December/073981.html

Is anyone besides myself beginning to feel that too MUCH functionality is 
being built into BIND?  Will the next request be to put out the cat before 
bedtime?

I'm concerned that BIND is being made too complex, with the associated 
security issues of any complex system.  Sendmail is a perfect example of 
this.  It tried to do everything with the resulting "bug of the month" 
outcome.

Query logging is a great idea, but OARC has already produced a very 
functional "dnscap" which will capture all DNS traffic, queries and 
responses, incoming and outgoing.  Maybe this type of logging functionality 
could be better relegated to a third party tool such as "dnscap" rather than 
being built directly into BIND.

Adding functionality for for the purpose of better operations is one thing.  
Including the capability of performing zone transfers inside BIND was a great 
addition rather than having a separate "named-xfer" tool.  This made running 
in a chroot environment much simpler, easier, and secure.  This is "good" 
additional functionality.

Additional functionality, such as adding additional query logging 
capabilities that aren't critical to the operation of the basic system, 
simply increase complexity with the inherent decrease in security that makes 
this type of addition a drawback.

Please, keep BIND as simple as possible (but not simpler).  Leave additional 
capabilities to separate tools such as "dnscap".

My two cents,

Bill Larson