Logging Response Results
Ray Van Dolson
rvandolson at esri.com
Thu Jun 23 21:31:22 UTC 2011
On Thu, Jun 23, 2011 at 01:58:37PM -0700, Phil Mayers wrote:
> On 06/23/2011 09:27 PM, Stefan Certic wrote:
> > Thanks Chuck
> >
> > Yes, that would be a solution, but i need logs processed through syslog and
> > stored into database (matching the initial query from query log).
> >
> > Pharsing tcpdump is not going to be suitable for highly loaded system. I was
> > more looking for a solution to log responses same way queryes are logged.
>
> The problem is that queries and responses are not the same type of
> thing. A query contains a single question, and is usually relatively
> small. A response can contain multiple answers, and multiple types of
> answer, and with DNSSEC they can get big.
>
> There's no inherent reason parsing tcpdump needs to be slow. It's
> written in C.
>
> Anyway: bind itself cannot log answers. You will need to patch the
> source if you want this.
Don't mean to venture into off-topic territory, but....
If you're handy with Python, pcapy[1] and impacket[2] would likely be a
more efficient way to parse DNS traffic for query responses than
working with tcpdump output natively (unless you're skilled with C).
Ray
[1] http://oss.coresecurity.com/projects/pcapy.html
[2] http://oss.coresecurity.com/projects/impacket.html
More information about the bind-users
mailing list