We have an Unbound caching server that was setup by another internal team. However, there is no logging enabled. I not only want this enabled for troubleshooting internal name resolution issues, but also to feed into a SIEM, and do other traffic analysis.
My questions (and I know every environment is different)
-
Is there a "sizing guide" so one can ascertain how much disk space should be allocated to the DNS caching host?
-
I suppose this might be determined by the log verbosity, so with verbosity: 1 or verbosity: 3, etc.. how does this come into play?
-
Is there anything else to consider other than just adding the #logfile directive to the .conf file?
-
to get the unbound logs over to a syslog/SIEM, I suspect I will need to use something like rsyslog – correct?
Thanks in advance for any help or advice
Best Answer
DNS servers generally don't log a lot of data. For a caching name server there should not be a lot to log. I'll use my bind server which is split brain and serves queries from the Internet.
Normally, you shouldn't need to log queries, especially on a caching server.
Memory requirements will vary depending on how many different domains you cache. However, on a modern server this is unlikely to be a concern.