[nsd-users] Logfile/verbosity and master/slave
Lew Payne
lew.payne at gmail.com
Tue Dec 16 18:39:54 UTC 2008
This has been an interesting discussion. I (as OP) originally asked
for the ability to log bad, malformed or non-zone queries because this
has been an invaluable feature for us in detecting and blocking
malicious users. It is part of an overall security scheme, which
includes specialized distributed software that communicates to
everything in our cluster (via anycast).
I am a long-time bind user, having first adopted it in early 1998.
For the past year, I have used maraDNS for performance reasons. There
were idiosyncrasies in its operation that lead me to look for another
lightweight solution last month, in anticipation of our new data
center migration. I am now running nsd, and am very satisfied with
it. The ability to parse bind-format zone files is brilliant, as is
the use of a zone compiler to store them in bdb format. The nsdc CLI
deserves praise, too.
NSD is now being used by the site with the longest (number one, in
fact) uptime in netcraft history. We are also one of the most
attacked sites on the Internet. As such, detection of anything
"abnormal" is an important part of our security protocol. I would
love to see "rejected" queries on a real-time basis, right from nsd.
Because nsd has already parsed the query and determined that it's to
be rejected, placing such code in nsd (in my opinion) makes the most
sense and offers the least amount of overhead. The alternative is to
run yet another program, and analyze the complete IP flow... which is
a waste of CPU cycles, etc. Also, not everyone is in a position to
run "yet another tool" to obtain this simple (from an nsd perspective)
information. At NAP of the Americas, we are limited in rack space...
I can't just add another box every time I need to perform another task
- nor is it the wisest deployment of resources (unless part of
CISP/PCI requirements).
Therefore, I hope you will seriously consider adding "rejected" query
logging to nsd, settable via verbosity and perhaps even as a
compile-time option.
Regards,
Lew Payne
> I agree that this logging ability should *not* be added to nsd (or
> that it can be disabled at compile-time) but do note there are other
> tools than tcpdump, specially when you want fine-grain selections of
> DNS queries/responses, as requested by the OP. (tcpdump can only
> filter by IP addresses, port numbers, not by DNS content.)
More information about the nsd-users
mailing list