Mining Data From named Logs

Peter Dambier peter at peter-dambier.de
Thu Oct 2 19:55:42 UTC 2008


Hi Martin,

it is guesswork only, but it is very likely, that DTAG did or
do use their nameservers to find out who is sticking his nose
into what - to trigger alarms looking for moles in their
management. So if you are a DTAG customer - and most German
DSL-customers are at least indirectly DTAG customers - then
you are wise running your own resolver and never querying
a foreign forwarder. Not to mention Journalists.

Directly related?

I did use the "lame sever" messages to find adware amd malware
servers and created dummy SOAs for them. Users told me that
speeded loading some sites dramatically. I dont like censoring
but my clients told me, no, that is not censoring.

Kind regards
Peter and Karin Dambier


Martin McCormick wrote:
> Do very many people on this list use the information from
> named's logs to learn about things that are not directly related
> to the operation of named?
> 
> 	I look for "no recursive clients" messages because you
> never see them when we are not having network trouble except,
> maybe, on the rare occasion where a compromised or broken host
> makes as many queries as it is physically capable of making per
> second. Yes, recursion is bad but we can't really turn it off so
> we turn it off for anybody outside our network. You should see
> all the attempts all the time!
> 
> 	I recently turned on query logging on our master and
> slave which are both fast Del 2950's and it looks as if we
> can possibly tell if certain systems have stopped working due to
> a lack of queries from them. Our campus mail gateway, for
> example, hits the master over 60 times per second during a
> business day. I don't know what that drops off to at nights or
> on a major US holiday, but I bet it is still several times per
> second.
> 
> 	For anyone else thinking of doing this, be careful of
> storage space. Our master gulped down 100 megabytes of disk
> space in less than 15 minutes so you had better watch it and set
> the logging limits to something you know you can handle.
> 
> Martin McCormick WB5AGZ  Stillwater, OK 
> Systems Engineer
> OSU Information Technology Department Telecommunications Services Group

-- 
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
http://www.peter-dambier.de/
http://iason.site.voila.fr/
https://sourceforge.net/projects/iason/


More information about the bind-users mailing list