[nsd-users] Logfile/verbosity and master/slave
Lew Payne
lew.payne at gmail.com
Thu Dec 11 19:15:11 UTC 2008
I hope you don't mind our exchange of ideas... In arguing this point,
I do not mean any harm. With that in mind, I would like to
respectfully state the following:
> NSD does not do that for general queries. It does give you BIND-like
> statistics about this, but they only show you how many times that
> occurred, nothing about the query initiator.
>
> I am not to keen about putting this type of logging in-server and I
> agree with Ant and Wouter that you should tcpdump or something
> to retrieve these queries.
The idea behind not including query logging is solid - because a busy
DNS server should not be burdened with anything else that slows its
primary goal (answering queries). However, that idea is not contrary
to logging bad, erroneous, malformed or illegal queries. These are
the exception rather than the rule. As such, they should have no
impact on normal nameserver performance.
That leaves us with "why would we want to log these?" As you know,
security is a necessity when connecting something to the net,
especially if it is to be used to serve the general public.
Identifying and "fixing" sources (IP's, netblocks, ASN's, etc) of
garbage data is an important part of security. In fact, it may weight
favorably with the argument of not burdening the nameserver with
unnecessary operations... since the "bad" data can be blocked (if
malicious) or fixed (if a remote ISP config error).
I would argue that incorporating "bad" queries into a log, at a
certain verbosity level, can only enhance the real-time diagnostics
nsd provides to the general community. Since this can be turned off,
it does not impact customers who don't care about it (or aren't aware
of its security implications).
The problem with diagnosing this with external tools (tcpdump, et-al)
is that you must run the process in promiscuous mode, and thus
generate a security concern. Also, and more important from a
performance standpoint, it must analyze and capture each incoming
packet - good and bad. That's unnecessary processing, and a task that
nsd is already performing de-facto. nsd has the capability of
identifying bad queries already - there is no added burden in tasking
it with logging them (other than logging overhead, which I have
claimed to be minimal and helpful in this regard).
I hope you will take these points into consideration, and share them
with others as appropriate.
Regards,
Lew Payne
lew.payne at gmail.com
More information about the nsd-users
mailing list