Can someone tell me if nsd (3.2.0) supports logging the actual queries it receives (regardless of the answer, such as NXDOMAIN)? Yes, I realize that purists will tell me it slows down the DNS server, but for a certain application, I need to know what IP address is requesting what record lookup. I have tried to increase the "verbosity" but still don't get individual query information. Does anyone know if there's a patch available to do this already? Perhaps one that enables this feature at a certain verbosity level? Another question - Is it possible to configure nsd such that it is both a master and a slave for the same zones? The idea behind this is that I'd like to be able to update any of the nsd zonefiles residing on any of the boxes, and have that update propagate to the others. Yes, I realize I can do this (crudely and forcefully) with a cron job that rsyncs and triggers a reload, but I was hoping there was a better way that actually used NOTIFY or such. Thanks in advance... I'm converting from MaraDNS due to response bugs, after 10 years of BIND. Regards, Lew Payne
Lew Payne writes:> Yes, I realize that purists will tell me it slows down the DNS server, > but for a certain application, I need to know what IP address is > requesting what record lookup.tcpdump will tell you this, and IMO using tcpdump is better than doing it in-server, since tcpdump has a nice query language and can be started and stopped independently of the server. Arnt
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lew Payne wrote:> Can someone tell me if nsd (3.2.0) supports logging the actual queries > it receives (regardless of the answer, such as NXDOMAIN)?No. Programs like dnsmon and tcpdump can do this I believe. you could run tcpdump dst port 53 and dst host <public address of your machine>.> Yes, I realize that purists will tell me it slows down the DNS server,Exact.> Another question - Is it possible to configure nsd such that it is > both a master and a slave for the same zones? The idea behind this is > that I'd like to be able to update any of the nsd zonefiles residing > on any of the boxes, and have that update propagate to the others. > Yes, I realize I can do this (crudely and forcefully) with a cron job > that rsyncs and triggers a reload, but I was hoping there was a better > way that actually used NOTIFY or such.Yes, simply configure. I wrote NSD3 to be able to do this :-) Set up allow-notify, request-xfr, notify and provide-xfr to all other servers. Please use a TSIG key for security. This will cause all servers to notify all others, and attempt to download from them. The only downside is the perpetual zone problem (discussed in dnsop draft-expire) where the zone will never expire, because every server can update its lease from any other (master). The only way to make a zone go away would be to de-configure the zone on the servers. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkk/jLUACgkQkDLqNwOhpPgYAwCfaPSTP3kDySzU+ZLMVWUCSC3j U4QAoJrDRqBTbIsnLdWq/J+qiOZWsEvU =X0nH -----END PGP SIGNATURE-----
Wouter and Arnt - Thank you for your answers to my previous questions. So far, nsd (3.2.0) is behaving nicely, with roughly 200 zones that it is authoritative for. Being able to import BIND8 zone files was a big bonus, as is having a CLI (nsdc). Can you tell me if nsd logs erroneous or broken queries? For example; queries for non-authoritative domains, malformed queries (common with exploit scripts), and queries for non-existent sub-domains (within our authoritative zone - NXDOMAIN)? These are all very useful for security purposes, and I (used to, until I switched) use them to feed a daemon that tracks them and takes evasive action when necessary (via ipfw radix table entries). Is there any chance of getting this type of logging, at a certain verbosity setting? Regards, Lew Payne