[bind10-dev] Preventing a DOS attack via message logging
JINMEI Tatuya / 神明達哉
jinmei at isc.org
Wed Dec 19 17:34:25 UTC 2012
At Wed, 19 Dec 2012 11:18:23 +0000,
Stephen Morris <stephen at isc.org> wrote:
> > There are two approaches to get round this:
> >
> > a) Make the logging of packet-dependent events a DEBUG-severity
> > message. DEBUG is not enabled by default, so these events will not
> > be recorded unless DEBUG is specifically chosen.
> >
> > b) Record system-related and packet-related messages via different
> > loggers (e.g. in the example given, server events could be logged
> > using the logger "auth" and packet-related events at that level
> > logged using the logger "pkt-auth".) As the loggers are
> > independent and the severity levels independent, fine-tuning of
> > what and what is not recorded can be achieved.
>
> That was written early on, when the logging code was written. As the
> question has come up in relation to the DHCP server, I'm curious as to
> what solution has been used in the DNS code. Or is this a non-issue?
In my understanding DNS-related BIND 10 servers generally adopt
approach a), although there still seem to be some higher level
messages that should be changed. I actually thought it was a common
practice to log such types of events at a debug-like level.
---
JINMEI, Tatuya
More information about the bind10-dev
mailing list