On Thu, Jun 23, 2011 at 01:58:37PM -0700, Phil Mayers wrote: > On 06/23/2011 09:27 PM, Stefan Certic wrote: > > Thanks Chuck > > > > Yes, that would be a solution, but i need logs processed through syslog and > > stored into database (matching the initial query from query log). > > > > Pharsing tcpdump is not going to be suitable for highly loaded system. I was > > more looking for a solution to log responses same way queryes are logged. > > The problem is that queries and responses are not the same type of > thing. A query contains a single question, and is usually relatively > small. A response can contain multiple answers, and multiple types of > answer, and with DNSSEC they can get big. > > There's no inherent reason parsing tcpdump needs to be slow. It's > written in C. > > Anyway: bind itself cannot log answers. You will need to patch the > source if you want this.
Don't mean to venture into off-topic territory, but.... If you're handy with Python, pcapy[1] and impacket[2] would likely be a more efficient way to parse DNS traffic for query responses than working with tcpdump output natively (unless you're skilled with C). Ray [1] http://oss.coresecurity.com/projects/pcapy.html [2] http://oss.coresecurity.com/projects/impacket.html _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
