Best Practices Query Logging, On or Off ?

Kevin Darcy kcd at
Thu Nov 18 21:50:28 UTC 2010

On 11/18/2010 4:10 PM, Russell Jackson wrote:
> On 11/18/2010 12:19 PM, Kevin Darcy wrote:
>> On 11/18/2010 1:36 PM, CT wrote:
>>> I am looking for a best practices for dns query logging
>>> Versions in use on Linux...
>>> - BIND 9.7.1-P2
>>> - BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2
>>> The minimum logging statement in my test named.conf (bind 9.7.1-P2)
>>> logging
>>> {
>>> category lame-servers { null; };
>>> category resolver { null; };
>>> };
>>> which I have tested still allows the dns (default)
>>> to log to /var/log/messages
>>> -- 
>>> default The default category defines the logging options for
>>> those categories where no specific configuration has
>>> been defined.
>> -- 
>> I have also been made aware that query logging can give a machine up
>> to a 30% performance hit but also with today's machines it is mostly
>> negligible..
>> My question is :
>> Do folks normally use query logging as a forensic tool or are most
>> Bind installations done without logging any queries ?
>> The powers that be seem to think the performance hit outweighs any
>> forensic benefit...
>> That's pretty short-sighted, IMO. Query logging allows one to find
>> misbehaving or misconfigured apps/servers/clients, active worms, etc. By
>> identifying those bad actors and correcting them, you reduce your query
>> volumes, usually much more than 30%. So, at the end of the day, what
>> benefit is there, really, in flying blind about one's query traffic?
>> Needless to say, we log all queries here. We even have a subsystem that
>> collects summaries of those query statistics from all of our remote
>> nameserver into a central repository for further mining/analysis.
> Query logging also undermines the privacy of your users. There may 
> even be applicable state and federal laws regulating the storage of 
> information that can link users to site's they've visited.

There is no such linkage, when all users are forced to go through a web 
proxy to access Internet sites, so that it is in fact the web proxy 
which is making the DNS lookups without any distinction between one user 
and another.

Whether the web proxy logs themselves violate state and/or federal laws 
is an interesting question, but not really relevant to this thread or list.

                                             - Kevin

More information about the bind-users mailing list