[nsd-users] Basic Logging Support Via Syslog

Ondřej Surý ondrej at sury.org
Wed Sep 2 09:25:58 UTC 2009


You don't have to use tcpdump.

There are tools like dnscap:

https://www.dns-oarc.net/tools/dnscap

There will be always "something" you need to add to logging and I am
perfectly fine with nsd not having complicated logging capabilities,
if there are other tools which can be used, without any problems.
Whole DITL (http://www.caida.org/projects/ditl/) was accomplished by
using dnscap, so I don't see why it couldn't be used for what you ask
for.

Ondrej.

On Wed, Sep 2, 2009 at 00:13, Greg Holmberg<greg+nsd at holmberg.to> wrote:
> On Tue, Sep 01, 2009 at 09:19:15AM +0200, W.C.A. Wijngaards wrote:
>>
>> ... is [tcpdump] not good enough for that purpose [logging NXDOMAINs]?
>>
>
> If the interface is left in promiscuous mode continuously, there
> are a few things to be aware of.
>
>  1) The NIC must process more traffic, sometimes more than the
>  host can handle. On an underpowered host, services may suffer
>  due to CPU saturation or packet loss at the congested NIC;
>
>  2) The host is exposed to attacks against the pcap library code;
>
>  3) The host is exposed to a small number of attacks aimed at
>  services listening on addresses of other machines;
>
>  4) The admin(s) of the host will no longer have a sure-fire way
>  to know if an intruder has managed to start a network sniffer;
>
>  5) Some latency is added to the processing of packets on the
>  promiscuous interface;
>
> Also, tcpdump has only rudimentary output capabilities for tallying/
> logging the capture of specific traffic by expression. Pcap files
> sometimes require a great deal of post-processing to extract the
> kind of data that you typically find in an application log file.
>
> It would be nice, as Lew pointed out, to add a small amount of code
> to nsd at the point where the NXDOMAIN decision is made to allow
> writing a line to a dedicated logging API like syslog, or to a simple
> logfile specified at runtime.
>
> Any additional functionality should not be on the fast code path
> for valid replies. The logging can happen after the negative reply
> is sent. Logging and file access APIs that use asynchronous I/O
> should be used instead of those that block.
>
> Best regards,
>
> Greg
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users
>



-- 
Ondřej Surý <ondrej at sury.org>
http://blog.rfc1925.org/



More information about the nsd-users mailing list