Kevin Chadwick <[email protected]> wrote: > >> For the log file with queries have you thought about this: >> tcpdump -i xl0 dst port domain and "(" dst host [your-resolver-IP] or >> dst host [your-resolver-IP6] ")" > > For security reasons, you shouldn't really parse traffic on a production > system, though you could write the logfile and do so offline. > Could you elaborate? What does parsing offline buy you security wise that a live system cannot? Privilege separation/dropping is straight forward in the case of tcpdump/libpcap and input validation is approximately /[a-z0-9_.]+/i and would be a problem in both the live and offline case.
Another method is to physically decouple the collector from the parser. Although traffic/cpu intensive, syslog'ing the output to another box live and having it parsed (say via a syslog-ng pipe() destination) as it appears would be perfectly feasible. I personally would not use tcpdump and cook my own using libpcap and probably learn how to use a DNS decoding library, but the problem space is the same. Cheers -- Alexander Clouter .sigmonster says: "Being disintegrated makes me ve-ry an-gry!" <huff, huff> _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
