Bind's logs

Kevin Darcy kcd at daimlerchrysler.com
Tue Dec 12 01:40:40 UTC 2006 

Michael Milligan wrote:
> Andy Shellam (Mailing Lists) wrote:
>   
>> Hi Greg,
>>
>> I log all executed queries on my DNS server as follows...
>>     
>
> You seem to imply you have it on all the time...  I hope that's not what
> you're advocating.  It is not a good idea for admins to do that in
> general as this can bring even a moderately busy name server to its
> knees.  Be careful out there.
>
>   
YMMV. I've had query logging turned on for all of the internal 
nameservers under my control for at least a decade now, without any 
performance problems. I take the query statistics, shuffle them off to a 
central collection machine, and then crunch them up for analysis and 
troubleshooting, particularly security incidents. ISPs may get 1000s of 
qps on their servers, but in our enterprise, largely owing to how 
distributed our DNS server infrastructure is, and our active 
encouragement of local DNS caching on all platforms that support it, we 
have only have a few boxes that do more than 10 million or 20 million 
over the course of a regular workday (which works out to only about a 
couple of hundred qps if that). The vast majority of our boxes' volumes 
are much lower than that (like less than 1 million a day). At those 
volumes and on modern hardware, the performance impact of the 
querylogging overhead is negligible. It ends up actually taking more 
*disk*I/O* resources than anything else, which is usually the 
least-stressed subsystem for a dedicated DNS server.

One of the benefits of querylogging and associated analysis, which we 
have yet to fully realize, is that it highlights any buggy/misbehaving 
clients that are consuming inordinate amounts of DNS resources. We often 
follow up and get those clients fixed, so the information that 
querylogging provides actually *saves* us resources in the long run, as 
well as providing more efficient and reliable service to our (internal) 
customers. Again, this is probably radically different from the ISP 
environment, where I imagine you couldn't get the misbehaving clients 
fixed even if you notified the end-users of the problems since, after 
all, "that's what I'm paying you for, deal with it"...

- Kevin

More information about the bind-users mailing list