On Fri, Jul 4, 2014 at 1:00 PM, Roland Dobbins <[email protected]> wrote: > [..] authoritative DNS infrastructure disabling logging, enabling it, and/or > logging queries/responses out-of-band via packet-capture taps, databases, > etc.?
At dnswl.org, we use a dedicated logging on a selection of the authoritative servers. The logging through libpcap; we keep two bits of information: the query source IP and the query itself. In order to reduce the data volume, this data gets aggregated with counters (ie, ip + count, query + count), regularly written to files and then sent to a central log collector once in a while for further aggregation. This removes the logging overhead from the handling of the DNS request, although at some CPU cost. We don't care too much if we lose some data, as long as the data loss is approximately consistent. We don't need the logs for forensic analysis, but only to get relative sizes of our users and what they are querying. (And we don't need or want to know who is querying what, that's why the data is taken apart and aggregated independently from the start, consciously destroying the link between the two.) -- Matthias _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
