[nsd-users] Basic Logging Support Via Syslog

Ondřej Surý ondrej at sury.org
Wed Sep 2 09:25:58 UTC 2009

You don't have to use tcpdump.

There are tools like dnscap:


There will be always "something" you need to add to logging and I am
perfectly fine with nsd not having complicated logging capabilities,
if there are other tools which can be used, without any problems.
Whole DITL (http://www.caida.org/projects/ditl/) was accomplished by
using dnscap, so I don't see why it couldn't be used for what you ask


On Wed, Sep 2, 2009 at 00:13, Greg Holmberg<greg+nsd at holmberg.to> wrote:
> On Tue, Sep 01, 2009 at 09:19:15AM +0200, W.C.A. Wijngaards wrote:
>> ... is [tcpdump] not good enough for that purpose [logging NXDOMAINs]?
> If the interface is left in promiscuous mode continuously, there
> are a few things to be aware of.
>  1) The NIC must process more traffic, sometimes more than the
>  host can handle. On an underpowered host, services may suffer
>  due to CPU saturation or packet loss at the congested NIC;
>  2) The host is exposed to attacks against the pcap library code;
>  3) The host is exposed to a small number of attacks aimed at
>  services listening on addresses of other machines;
>  4) The admin(s) of the host will no longer have a sure-fire way
>  to know if an intruder has managed to start a network sniffer;
>  5) Some latency is added to the processing of packets on the
>  promiscuous interface;
> Also, tcpdump has only rudimentary output capabilities for tallying/
> logging the capture of specific traffic by expression. Pcap files
> sometimes require a great deal of post-processing to extract the
> kind of data that you typically find in an application log file.
> It would be nice, as Lew pointed out, to add a small amount of code
> to nsd at the point where the NXDOMAIN decision is made to allow
> writing a line to a dedicated logging API like syslog, or to a simple
> logfile specified at runtime.
> Any additional functionality should not be on the fast code path
> for valid replies. The logging can happen after the negative reply
> is sent. Logging and file access APIs that use asynchronous I/O
> should be used instead of those that block.
> Best regards,
> Greg
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users

Ondřej Surý <ondrej at sury.org>

More information about the nsd-users mailing list