[nsd-users] About NSD query logging?

Wed Jun 3 20:20:17 UTC 2020

On 2020/06/04 00:56, Bac Nguyen Huy via nsd-users wrote:
> Thanks for your answer.
> I would like to discuss the remaining content in more detail: Please share your opinion, the
> way you are doing
> 
> - Why have many dns soft, dns system don't support log query.

Most of the common DNS server software does support logging via dnstap.
Because there are many monitoring infrastructures people may want to log to,
and many types of server that they may want to monitor, it makes sense to
separate them, rather than have to implement every monitoring system for
every DNS server.

> - Is monitoring log query on DNS Authoritive server really necessary? We should or shouldn't
> log query on DNS Server.

That's a decision for the operator of an authoritative server. Some
need/want to do this type of monitoring, some don't care, some
explicitly do _not_ want to monitor.

> Enabling tcpdump on the server reduces DNS server performance like
> enabling query log  or not like ???

Yes, but so would any kind of monitoring running on the DNS server
itself (e.g. writing queries to syslog on local disk would usually
cause a big hit to performance).

The method that affects the DNS server the least is to tap the network
port. Either with a specific tapping device or set the network switch
to mirror packets (sometimes called "span port") to another port and
capture them on a separate host. The monitoring host can then be
optimized for monitoring (tcpdump or whatever else), the authoritative
server can be optimized for serving DNS, and if it's necessary to take
the monitor out of action, replace it, etc, it doesn't affect live
service.

There are the various methods that can be done on the server itself -
either external to the auth server software (tcpdump, dnstop, etc)
or built-in via dnstap.

You can also use a proxy upstream of the real authoritative server -
for example dnsdist - and possibly divert "interesting" queries to a
server doing full monitoring and send the "regular" queries to a standard
server. Or send a proportion of queries to a server with monitoring and
others to standard servers.

There are many options, the hard thing is choosing which is the best
fit for what you're trying to do.