I'm new to dnsdist, and we're setting it up to use for some experimental 
measurements, so we can use its flexibility to send queries to different 
backends, based on different options.  Our previous setup was almost 
exclusively BIND, so all of our logging was using BIND's logging mechanism, 
sending our query log entries to syslog.  Obviously, with dnsdist now sitting 
in front of our servers, we can still log with our backend servers, but we 
don't get the original source IP address.  My wish would be to have a result 
very similar to what we had before with our logging, so we can change very 
little with our data analysis.  I've read up on dndist's logging capabilities, 
with protobuf or dnstap, but I have yet to find a good, solid example of how we 
might use it effectively in the same way we were before with our BIND logs to 
syslog.  The closest I got was to have something like this:

- dnsdist outputs dnstap to a UNIX domain socket.
- Some dnstap reader simply reads on the socket and then writes it to a file in 
whatever format I want (e.g., BIND query log format).  dnstap (the command-line 
tool) can do this in part, but, as I understand it, it's output is yaml, which 
would require further formatting for our purposes, not to mention, it's one 
more process that I have to have running, and if it stops, I lose data.  
Finally, I would need to it to handle log file rotation (e.g., similar to how 
logrotate does it), so I don't end up with one huge file.

I could also capture pcap on the interface and process it offline, but that 
seems silly.

So, my questions for the group are: how are you doing your logging, and how 
would you recommend I do mine, based on what I've given you of my requirements?


dnsdist mailing list

Reply via email to