Best Practices Query Logging, On or Off ?

[Kevin Darcy]

On 11/18/2010 1:36 PM, CT wrote:
> I am looking for a best practices for dns query logging
>
> Versions in use on Linux...
> - BIND 9.7.1-P2
> - BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2
>
>
> The minimum logging statement in my test named.conf (bind 9.7.1-P2)
>
> logging
> {
>         category lame-servers   { null; };
>         category resolver       { null; };
> };
>
> which I have tested still allows the dns (default)
> to log to /var/log/messages
>
> -- 
> default     The default category defines the logging options for
>         those categories where no specific configuration has
>         been defined.

    -- 

    I have also been made aware that query logging can give a machine up
    to a 30% performance hit but also with today's machines it is mostly
    negligible..

    My question is :
    Do folks normally use query logging as a forensic tool or are most
    Bind installations done without logging any queries ?

    The powers that be seem to think the performance hit outweighs any
    forensic benefit...


That's pretty short-sighted, IMO. Query logging allows one to find 
misbehaving or misconfigured apps/servers/clients, active worms, etc. By 
identifying those bad actors and correcting them, you reduce your query 
volumes, usually much more than 30%. So, at the end of the day, what 
benefit is there, really, in flying blind about one's query traffic?

Needless to say, we log all queries here. We even have a subsystem that 
collects summaries of those query statistics from all of our remote 
nameserver into a central repository for further mining/analysis.

                                                                         
                                                                         
                 - Kevin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101118/99e794f3/attachment.html>