<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
On 11/18/2010 1:36 PM, CT wrote:
<blockquote cite="mid:4CE5723E.6020709@obsd.us" type="cite">I am
looking for a best practices for dns query logging
<br>
<br>
Versions in use on Linux...
<br>
- BIND 9.7.1-P2
<br>
- BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2
<br>
<br>
<br>
The minimum logging statement in my test named.conf (bind
9.7.1-P2)
<br>
<br>
logging
<br>
{
<br>
category lame-servers { null; };
<br>
category resolver { null; };
<br>
};
<br>
<br>
which I have tested still allows the dns (default)
<br>
to log to /var/log/messages
<br>
<br>
--
<br>
default The default category defines the logging options for
<br>
those categories where no specific configuration has
<br>
been defined.
<br>
</blockquote>
<blockquote><span class="moz-txt-tag">-- </span><br>
<span class="moz-txt-tag"></span><br>
I have also been made aware that query logging can give a machine
up to a 30% performance hit but also with today's machines it is
mostly negligible..
<br>
<br>
My question is :
<br>
Do folks normally use query logging as a forensic tool or are most
Bind installations done without logging any queries ?
<br>
<br>
The powers that be seem to think the performance hit outweighs any
forensic benefit...
<br>
</blockquote>
<br>
That's pretty short-sighted, IMO. Query logging allows one to find
misbehaving or misconfigured apps/servers/clients, active worms,
etc. By identifying those bad actors and correcting them, you reduce
your query volumes, usually much more than 30%. So, at the end of
the day, what benefit is there, really, in flying blind about one's
query traffic?<br>
<br>
Needless to say, we log all queries here. We even have a subsystem
that collects summaries of those query statistics from all of our
remote nameserver into a central repository for further
mining/analysis.<br>
<br>
- Kevin<br>
<br>
<a class="moz-txt-link-freetext"
href="https://lists.isc.org/mailman/listinfo/bind-users"></a>
</body>
</html>