Best Practices Query Logging, On or Off ?
CT
groups at obsd.us
Thu Nov 18 23:28:22 UTC 2010
Kevin Darcy wrote, On 11/18/2010 02:19 PM:
> On 11/18/2010 1:36 PM, CT wrote:
>> I am looking for a best practices for dns query logging
>>
>> Versions in use on Linux...
>> - BIND 9.7.1-P2
>> - BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2
>>
>>
>> The minimum logging statement in my test named.conf (bind 9.7.1-P2)
>>
>> logging
>> {
>> category lame-servers { null; };
>> category resolver { null; };
>> };
>>
>> which I have tested still allows the dns (default)
>> to log to /var/log/messages
>>
>> --
>> default The default category defines the logging options for
>> those categories where no specific configuration has
>> been defined.
>
> --
>
> I have also been made aware that query logging can give a machine up
> to a 30% performance hit but also with today's machines it is mostly
> negligible..
>
> My question is :
> Do folks normally use query logging as a forensic tool or are most
> Bind installations done without logging any queries ?
>
> The powers that be seem to think the performance hit outweighs any
> forensic benefit...
>
>
> That's pretty short-sighted, IMO. Query logging allows one to find
> misbehaving or misconfigured apps/servers/clients, active worms, etc. By
> identifying those bad actors and correcting them, you reduce your query
> volumes, usually much more than 30%. So, at the end of the day, what
> benefit is there, really, in flying blind about one's query traffic?
>
> Needless to say, we log all queries here. We even have a subsystem that
> collects summaries of those query statistics from all of our remote
> nameserver into a central repository for further mining/analysis.
>
> - Kevin
Kevin..
I am one of the ones that "keep" all my query logs for forensics..
One of my co-workers was actually looking for "best practices" document,
I will take a look in the ARM but don't remember seeing
anything in there when I read through it..
I am curious of the product you use to collect the data / logs..
if you can reply on list..
Thx
Charles
More information about the bind-users
mailing list