On 06/14/2011 03:53 PM, Alexander Clouter wrote:
Phil Mayers<[email protected]> wrote:
For the log file with queries have you thought about this:
tcpdump -i xl0 dst port domain and "(" dst host [your-resolver-IP] or
dst host [your-resolver-IP6] ")"
For security reasons, you shouldn't really parse traffic on a production
system, though you could write the logfile and do so offline.
...which would be a good reason for unbound to do the logging itself.
Unbound has already parsed the DNS packet, by necessity.
...logging in the 'fast path', not advisable.
Says who?
Bind 9 manages this just fine at our site, at excessively high loads.
Plus assuming part of the reason you might be logging is to catch
unbound-kill packets, not great.
I think it would be better to have packets no kill unbound personally...
Using a specific logging/recording tool means it becomes independent on
the DNS server you use.
It's also another bit of software to install, update, configure and
manage. It's another independent DNS parser, which may or may not be as
robust as the DNS parser in a high-volume recursive resolver. And it
lacks access to internal resolver state, which the logging may or may
not want to record e.g.
date name class type flags from-cache=yes|no
But hey - since unbound already doesn't log, you've got what you want,
so why worry?
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
