[nsd-users] Basic Logging Support Via Syslog
Ondřej Surý
ondrej at sury.org
Wed Sep 2 09:25:58 UTC 2009
You don't have to use tcpdump.
There are tools like dnscap:
https://www.dns-oarc.net/tools/dnscap
There will be always "something" you need to add to logging and I am
perfectly fine with nsd not having complicated logging capabilities,
if there are other tools which can be used, without any problems.
Whole DITL (http://www.caida.org/projects/ditl/) was accomplished by
using dnscap, so I don't see why it couldn't be used for what you ask
for.
Ondrej.
On Wed, Sep 2, 2009 at 00:13, Greg Holmberg<greg+nsd at holmberg.to> wrote:
> On Tue, Sep 01, 2009 at 09:19:15AM +0200, W.C.A. Wijngaards wrote:
>>
>> ... is [tcpdump] not good enough for that purpose [logging NXDOMAINs]?
>>
>
> If the interface is left in promiscuous mode continuously, there
> are a few things to be aware of.
>
> 1) The NIC must process more traffic, sometimes more than the
> host can handle. On an underpowered host, services may suffer
> due to CPU saturation or packet loss at the congested NIC;
>
> 2) The host is exposed to attacks against the pcap library code;
>
> 3) The host is exposed to a small number of attacks aimed at
> services listening on addresses of other machines;
>
> 4) The admin(s) of the host will no longer have a sure-fire way
> to know if an intruder has managed to start a network sniffer;
>
> 5) Some latency is added to the processing of packets on the
> promiscuous interface;
>
> Also, tcpdump has only rudimentary output capabilities for tallying/
> logging the capture of specific traffic by expression. Pcap files
> sometimes require a great deal of post-processing to extract the
> kind of data that you typically find in an application log file.
>
> It would be nice, as Lew pointed out, to add a small amount of code
> to nsd at the point where the NXDOMAIN decision is made to allow
> writing a line to a dedicated logging API like syslog, or to a simple
> logfile specified at runtime.
>
> Any additional functionality should not be on the fast code path
> for valid replies. The logging can happen after the negative reply
> is sent. Logging and file access APIs that use asynchronous I/O
> should be used instead of those that block.
>
> Best regards,
>
> Greg
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
>
--
Ondřej Surý <ondrej at sury.org>
http://blog.rfc1925.org/
More information about the nsd-users
mailing list