[rbldnsd] OT: Advise needed on what RBL operators supposed to
do with logs
Michael Tokarev
mjt at tls.msk.ru
Sun Sep 25 23:47:45 MSD 2005
William Leibzon wrote:
[]
> Since I certainly don't run the most active RBL list and there are others
> here who have a lot more accesses to their RBLs (probably on the order of
> 10 times more), what do you guys do with rbldnsd logs?
The simplest and obvious answer is "nothing". Ie, at least most high-volume
blocklists do NOT do any logging at all. Sometimes, I run rbldnsd with
logging turned on (on official dsbl.org, cbl.abuseat.org and spamhaus.org
nameserver) for several minutes, just to have a quick view on what's going
on, and that's basically all. When you have 5000+ legitimate queries per
second to a nameserver (not under any DoS attack or anything like that),
trying to process logs is umm.. somewhat crazy idea.
Another point is - what one may do with the (historical) logs in the first
place? It's not something like email for example, where you - sometimes -
may need to answer questions like "have we received email from this address
last year?" or "when this IP address sent up email the first time?".
Yes, logs may be usefult at times for high-volume DNSBLs - like, to determine
the most active clients who're using alot of resources, to suggest them to
switch to local copy of a blocklist. Or, like NJABL does, to see which
IP addresses are being queried, to run proxy/relay tests on them. But
this is not a historically-relevant data, the only interest here is "now",
not "yesterday" or "last year".
/mjt
<
More information about the rbldnsd
mailing list