[nsd-users] Basic Logging Support Via Syslog
ondrej at sury.org
Wed Sep 2 11:25:58 CEST 2009
You don't have to use tcpdump.
There are tools like dnscap:
There will be always "something" you need to add to logging and I am
perfectly fine with nsd not having complicated logging capabilities,
if there are other tools which can be used, without any problems.
Whole DITL (http://www.caida.org/projects/ditl/) was accomplished by
using dnscap, so I don't see why it couldn't be used for what you ask
On Wed, Sep 2, 2009 at 00:13, Greg Holmberg<greg+nsd at holmberg.to> wrote:
> On Tue, Sep 01, 2009 at 09:19:15AM +0200, W.C.A. Wijngaards wrote:
>> ... is [tcpdump] not good enough for that purpose [logging NXDOMAINs]?
> If the interface is left in promiscuous mode continuously, there
> are a few things to be aware of.
> 1) The NIC must process more traffic, sometimes more than the
> host can handle. On an underpowered host, services may suffer
> due to CPU saturation or packet loss at the congested NIC;
> 2) The host is exposed to attacks against the pcap library code;
> 3) The host is exposed to a small number of attacks aimed at
> services listening on addresses of other machines;
> 4) The admin(s) of the host will no longer have a sure-fire way
> to know if an intruder has managed to start a network sniffer;
> 5) Some latency is added to the processing of packets on the
> promiscuous interface;
> Also, tcpdump has only rudimentary output capabilities for tallying/
> logging the capture of specific traffic by expression. Pcap files
> sometimes require a great deal of post-processing to extract the
> kind of data that you typically find in an application log file.
> It would be nice, as Lew pointed out, to add a small amount of code
> to nsd at the point where the NXDOMAIN decision is made to allow
> writing a line to a dedicated logging API like syslog, or to a simple
> logfile specified at runtime.
> Any additional functionality should not be on the fast code path
> for valid replies. The logging can happen after the negative reply
> is sent. Logging and file access APIs that use asynchronous I/O
> should be used instead of those that block.
> Best regards,
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
Ondřej Surý <ondrej at sury.org>
More information about the nsd-users