Best Practices Query Logging, On or Off ?

Thu Nov 18 21:10:35 UTC 2010

On 11/18/2010 12:19 PM, Kevin Darcy wrote:
> On 11/18/2010 1:36 PM, CT wrote:
>> I am looking for a best practices for dns query logging
>>
>> Versions in use on Linux...
>> - BIND 9.7.1-P2
>> - BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2
>>
>>
>> The minimum logging statement in my test named.conf (bind 9.7.1-P2)
>>
>> logging
>> {
>> category lame-servers { null; };
>> category resolver { null; };
>> };
>>
>> which I have tested still allows the dns (default)
>> to log to /var/log/messages
>>
>> --
>> default The default category defines the logging options for
>> those categories where no specific configuration has
>> been defined.
>
> --
> I have also been made aware that query logging can give a machine up
> to a 30% performance hit but also with today's machines it is mostly
> negligible..
>
> My question is :
> Do folks normally use query logging as a forensic tool or are most
> Bind installations done without logging any queries ?
>
> The powers that be seem to think the performance hit outweighs any
> forensic benefit...
>
>
> That's pretty short-sighted, IMO. Query logging allows one to find
> misbehaving or misconfigured apps/servers/clients, active worms, etc. By
> identifying those bad actors and correcting them, you reduce your query
> volumes, usually much more than 30%. So, at the end of the day, what
> benefit is there, really, in flying blind about one's query traffic?
>
> Needless to say, we log all queries here. We even have a subsystem that
> collects summaries of those query statistics from all of our remote
> nameserver into a central repository for further mining/analysis.
>

Query logging also undermines the privacy of your users. There may even 
be applicable state and federal laws regulating the storage of 
information that can link users to site's they've visited.

-- 
Russell A Jackson <raj at csub.edu>
Network Analyst
California State University, Bakersfield