Re: Best Practices Query Logging, On or Off ?

Thu, 18 Nov 2010 13:55:58 -0800 

On 11/18/2010 4:10 PM, Russell Jackson wrote:

On 11/18/2010 12:19 PM, Kevin Darcy wrote:

On 11/18/2010 1:36 PM, CT wrote:

I am looking for a best practices for dns query logging

Versions in use on Linux...
- BIND 9.7.1-P2
- BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2


The minimum logging statement in my test named.conf (bind 9.7.1-P2)

logging
{
category lame-servers { null; };
category resolver { null; };
};

which I have tested still allows the dns (default)
to log to /var/log/messages

--
default The default category defines the logging options for
those categories where no specific configuration has
been defined.


--
I have also been made aware that query logging can give a machine up
to a 30% performance hit but also with today's machines it is mostly
negligible..

My question is :
Do folks normally use query logging as a forensic tool or are most
Bind installations done without logging any queries ?

The powers that be seem to think the performance hit outweighs any
forensic benefit...


That's pretty short-sighted, IMO. Query logging allows one to find
misbehaving or misconfigured apps/servers/clients, active worms, etc. By
identifying those bad actors and correcting them, you reduce your query
volumes, usually much more than 30%. So, at the end of the day, what
benefit is there, really, in flying blind about one's query traffic?

Needless to say, we log all queries here. We even have a subsystem that
collects summaries of those query statistics from all of our remote
nameserver into a central repository for further mining/analysis.
Query logging also undermines the privacy of your users. There may even be applicable state and federal laws regulating the storage of information that can link users to site's they've visited.
There is no such linkage, when all users are forced to go through a web proxy to access Internet sites, so that it is in fact the web proxy which is making the DNS lookups without any distinction between one user and another.
Whether the web proxy logs themselves violate state and/or federal laws is an interesting question, but not really relevant to this thread or list.
- Kevin 



_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to