we are trying to visualize and permanently record our DNS traffic. The DNS Server is run on Windows 10 and the logs it writes are ok but extending it with packetbeat would increase the visibility a lot. The concerns I have are running packetbeat on such critical infrastructure are
- security: packetbeat runs with admin priveledges and listens promisc on the network interface. We would only enable the DNS protocol in packetbeat. But the DNS Servers need to be reachable from everywhere in our network and thus anyone on the network can potentially craft malicious DNS packets potentially exploiting a but in packetbeat. Looking at the security record so far I can't see any major threats where this was exploited but it's kin a of not obvious to me to actually determine the risk? Any hints welcome!
- performance: not so concerned as I think all that can happen here is packetbeat dropping/missing packets. But packetbeat shouldn't infect the overall server performance significantly if I carefully use
max_procsto be max the cpu's available. Is that correct?
Thanks 1000x and keep up the great work,