BIND and Windows DNS logging and archiving

Mick Lee lmick5455 at gmail.com
Wed Jul 19 13:16:18 UTC 2017


Hi All,

I wonder if I could get some advice and guidance based on everyones
experience.

I have a mix of pre-compiled versions of BIND on Linux (can't change or
re-compiled I'm afraid) and Windows DNS, and I have a need to log DNS
queries from about 100 or so of these types of servers, to identify queries
to specific domains, and to be able to go back through and search for
queries to domains which we now know to be bad.

I am currently using query logging on Linux, and Syslog to move the data
around, and simple regex matching to look for domains, but I need to get
the data from Windows servers and the current tooling is not
performant/scalable.

I could just enable Windows DNS logging and try to get the files from the
servers somehow, but from what I remember there are issues around log file
rotation and the potential for data loss there.  One of my colleagues
suggested sending the DNS queries to the Windows event log, but I am not
sure I can even do that, and I am worried about the impact too - there are
approx. 10,000 DNS qps across all servers in total.

Should I be looking at some off the shelve software (although I don't have
a lot of budget), what would even do this, or is there some open source
tool that would do the job (I have some scripting ability) - I'm quite open
to any ideas?

Any advice or guidance anyone can offer would be greatly appreciated.

(I know each environment is different, so apologies if I have left any
important detail out, please point this out if so and I will try to fill in
the gaps)

Many Thanks

Mick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20170719/8dea4e85/attachment.html>


More information about the bind-users mailing list