On 2020/06/04 00:56, Bac Nguyen Huy via nsd-users wrote: > Thanks for your answer. > I would like to discuss the remaining content in more detail: Please share > your opinion, the > way you are doing > > - Why have many dns soft, dns system don't support log query.
Most of the common DNS server software does support logging via dnstap. Because there are many monitoring infrastructures people may want to log to, and many types of server that they may want to monitor, it makes sense to separate them, rather than have to implement every monitoring system for every DNS server. > - Is monitoring log query on DNS Authoritive server really necessary? We > should or shouldn't > log query on DNS Server. That's a decision for the operator of an authoritative server. Some need/want to do this type of monitoring, some don't care, some explicitly do _not_ want to monitor. > Enabling tcpdump on the server reduces DNS server performance like > enabling query logĀ or not like ??? Yes, but so would any kind of monitoring running on the DNS server itself (e.g. writing queries to syslog on local disk would usually cause a big hit to performance). The method that affects the DNS server the least is to tap the network port. Either with a specific tapping device or set the network switch to mirror packets (sometimes called "span port") to another port and capture them on a separate host. The monitoring host can then be optimized for monitoring (tcpdump or whatever else), the authoritative server can be optimized for serving DNS, and if it's necessary to take the monitor out of action, replace it, etc, it doesn't affect live service. There are the various methods that can be done on the server itself - either external to the auth server software (tcpdump, dnstop, etc) or built-in via dnstap. You can also use a proxy upstream of the real authoritative server - for example dnsdist - and possibly divert "interesting" queries to a server doing full monitoring and send the "regular" queries to a standard server. Or send a proportion of queries to a server with monitoring and others to standard servers. There are many options, the hard thing is choosing which is the best fit for what you're trying to do. _______________________________________________ nsd-users mailing list [email protected] https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
