Best Practices Query Logging, On or Off ?

Kevin Darcy kcd at
Thu Nov 18 20:19:13 UTC 2010

On 11/18/2010 1:36 PM, CT wrote:
> I am looking for a best practices for dns query logging
> Versions in use on Linux...
> - BIND 9.7.1-P2
> - BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2
> The minimum logging statement in my test named.conf (bind 9.7.1-P2)
> logging
> {
>         category lame-servers   { null; };
>         category resolver       { null; };
> };
> which I have tested still allows the dns (default)
> to log to /var/log/messages
> -- 
> default     The default category defines the logging options for
>         those categories where no specific configuration has
>         been defined.


    I have also been made aware that query logging can give a machine up
    to a 30% performance hit but also with today's machines it is mostly

    My question is :
    Do folks normally use query logging as a forensic tool or are most
    Bind installations done without logging any queries ?

    The powers that be seem to think the performance hit outweighs any
    forensic benefit...

That's pretty short-sighted, IMO. Query logging allows one to find 
misbehaving or misconfigured apps/servers/clients, active worms, etc. By 
identifying those bad actors and correcting them, you reduce your query 
volumes, usually much more than 30%. So, at the end of the day, what 
benefit is there, really, in flying blind about one's query traffic?

Needless to say, we log all queries here. We even have a subsystem that 
collects summaries of those query statistics from all of our remote 
nameserver into a central repository for further mining/analysis.

                 - Kevin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list