[nsd-users] Basic Logging Support Via Syslog

Greg Holmberg greg+nsd at holmberg.to
Tue Sep 1 22:13:24 UTC 2009

On Tue, Sep 01, 2009 at 09:19:15AM +0200, W.C.A. Wijngaards wrote:
> ... is [tcpdump] not good enough for that purpose [logging NXDOMAINs]?

If the interface is left in promiscuous mode continuously, there
are a few things to be aware of.

  1) The NIC must process more traffic, sometimes more than the
  host can handle. On an underpowered host, services may suffer
  due to CPU saturation or packet loss at the congested NIC;

  2) The host is exposed to attacks against the pcap library code;

  3) The host is exposed to a small number of attacks aimed at
  services listening on addresses of other machines;

  4) The admin(s) of the host will no longer have a sure-fire way
  to know if an intruder has managed to start a network sniffer;

  5) Some latency is added to the processing of packets on the
  promiscuous interface;

Also, tcpdump has only rudimentary output capabilities for tallying/
logging the capture of specific traffic by expression. Pcap files
sometimes require a great deal of post-processing to extract the
kind of data that you typically find in an application log file.

It would be nice, as Lew pointed out, to add a small amount of code
to nsd at the point where the NXDOMAIN decision is made to allow
writing a line to a dedicated logging API like syslog, or to a simple
logfile specified at runtime.

Any additional functionality should not be on the fast code path
for valid replies. The logging can happen after the negative reply 
is sent. Logging and file access APIs that use asynchronous I/O
should be used instead of those that block.

Best regards,


More information about the nsd-users mailing list