[nsd-users] Basic Logging Support Via Syslog
greg+nsd at holmberg.to
Tue Sep 1 22:13:24 UTC 2009
On Tue, Sep 01, 2009 at 09:19:15AM +0200, W.C.A. Wijngaards wrote:
> ... is [tcpdump] not good enough for that purpose [logging NXDOMAINs]?
If the interface is left in promiscuous mode continuously, there
are a few things to be aware of.
1) The NIC must process more traffic, sometimes more than the
host can handle. On an underpowered host, services may suffer
due to CPU saturation or packet loss at the congested NIC;
2) The host is exposed to attacks against the pcap library code;
3) The host is exposed to a small number of attacks aimed at
services listening on addresses of other machines;
4) The admin(s) of the host will no longer have a sure-fire way
to know if an intruder has managed to start a network sniffer;
5) Some latency is added to the processing of packets on the
Also, tcpdump has only rudimentary output capabilities for tallying/
logging the capture of specific traffic by expression. Pcap files
sometimes require a great deal of post-processing to extract the
kind of data that you typically find in an application log file.
It would be nice, as Lew pointed out, to add a small amount of code
to nsd at the point where the NXDOMAIN decision is made to allow
writing a line to a dedicated logging API like syslog, or to a simple
logfile specified at runtime.
Any additional functionality should not be on the fast code path
for valid replies. The logging can happen after the negative reply
is sent. Logging and file access APIs that use asynchronous I/O
should be used instead of those that block.
More information about the nsd-users