Bind 9 query logging
cod3fr3ak
Content-Type: multipart/alternative; boundary=001636163e5bdc305c0461a429ec
--001636163e5bdc305c0461a429ec
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
I am trying to configure query logging on bind 9. Currently I have the
following in my configuration file:
logging {
channel warning_log
{
file "/var/adm/dns-logs/dns_warnings.log" versions 7 size
2G;
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel query_log
{
file "/var/adm/dns-logs/dns_query.log" versions 7 size 2G;
severity debug 3;
print-category yes;
print-severity yes;
print-time yes;
};
category default { warning_log; } ;
category queries { query_log; };
category lame-servers { null; };
category security { null; };
category unmatched { null; };
};
According to the O Reilly book DNS and Bind (4th Edition) and the Bind 9 web
docs the configuration above should log both the requested query and the
response. Currently all I get back is the query:
29-Jan-2009 14:15:00.666 queries: info: client xxx.xxx.xxx.xxx#56766: query:
49.105.135.67.in-addr.arpa IN PTR +
29-Jan-2009 14:15:00.730 queries: info: client xxx.xxx.xxx.xxx#45016: query:
m1.search.yahoo-ht3.akadns.net IN A +ED
29-Jan-2009 14:15:00.821 queries: info: client xxx.xxx.xxx.xxx#48060: query:
liveupdate.symantec.d4p.net IN A +ED
29-Jan-2009 14:15:00.882 queries: info: client xxx.xxx.xxx.xxx#62480: query:
businessweek.112.2o7.net IN A +ED
29-Jan-2009 14:15:00.891 queries: info: client xxx.xxx.xxx.xxx#22652: query:
a973.g.akamai.net IN A +ED
29-Jan-2009 14:15:00.900 queries: info: client xxx.xxx.xxx.xxx#49831: query:
stats.surfaid.ihost.com IN A +ED
29-Jan-2009 14:15:00.924 queries: info: client xxx.xxx.xxx.xxx#5606: query:
www.pic2009.org IN A +ED
29-Jan-2009 14:15:00.936 queries: info: client xxx.xxx.xxx.xxx#51641: query:
www.yopoll.com IN A +ED
29-Jan-2009 14:15:00.946 queries: info: client xxx.xxx.xxx.xxx#6002: query:
174.162.127.222.in-addr.arpa IN PTR +ED
Even when I start bind using the -d option I do not get what I want.
Can someone help me out.
C
--001636163e5bdc305c0461a429ec
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
I am trying to configure query logging on bind 9. Currently I have the foll=
owing in my configuration file:<br><br>logging {<br>  =
; channel warning_log<br> &n=
bsp; {<br>  =
; &n=
bsp; file "/var/adm/dns-logs/dns_warnings.log" versions 7 size 2G=
;<br>
&nb=
sp; severity warning;<br> &n=
bsp; print-category yes;<br=
> &n=
bsp; print-severity yes;<br>  =
; print-time yes;<br>=
&nb=
sp; };<br> channel qu=
ery_log<br> &nbs=
p; {<br>
&nb=
sp; file "/var/adm/dns-logs/dns_query.log" versions 7=
size 2G;<br> &n=
bsp; severity debug 3;<br> &=
nbsp; print-cat=
egory yes;<br> &=
nbsp; print-severity yes;<br> &nbs=
p; print-=
time yes;<br>
&nb=
sp; };<br> category d=
efault { warning_log; } ;<br> cat=
egory queries { query_log; };<br> =
category lame-servers { null; };<br> &n=
bsp; category security { null; };<br> &n=
bsp; category unmatched { null; };<br>
};<br><br>According to the O Reilly book DNS and Bind (4th Edition) =
and the Bind 9 web docs the configuration above should log both the request=
ed query and the response. Currently all I get back is the query:<br><br>29=
-Jan-2009 14:15:00.666 queries: info: client xxx.xxx.xxx.xxx#56766: query: =
49.105.135.67.in-addr.arpa IN PTR +<br>
29-Jan-2009 14:15:00.730 queries: info: client xxx.xxx.xxx.xxx#45016: query=
: <a href=3D"http://m1.search.yahoo-ht3.akadns.net">m1.search.yahoo-ht3.aka=
dns.net</a> IN A +ED<br>29-Jan-2009 14:15:00.821 queries: info: client xxx.=
xxx.xxx.xxx#48060: query: <a href=3D"http://liveupdate.symantec.d4p.net">li=
veupdate.symantec.d4p.net</a> IN A +ED<br>
29-Jan-2009 14:15:00.882 queries: info: client xxx.xxx.xxx.xxx#62480: query=
: <a href=3D"http://businessweek.112.2o7.net">businessweek.112.2o7.net</a> =
IN A +ED<br>29-Jan-2009 14:15:00.891 queries: info: client xxx.xxx.xxx.xxx#=
22652: query: <a href=3D"http://a973.g.akamai.net">a973.g.akamai.net</a> IN=
A +ED<br>
29-Jan-2009 14:15:00.900 queries: info: client xxx.xxx.xxx.xxx#49831: query=
: <a href=3D"http://stats.surfaid.ihost.com">stats.surfaid.ihost.com</a> IN=
A +ED<br>29-Jan-2009 14:15:00.924 queries: info: client xxx.xxx.xxx.xxx#56=
06: query: <a href=3D"http://www.pic2009.org">www.pic2009.org</a> IN A +ED<=
br>
29-Jan-2009 14:15:00.936 queries: info: client xxx.xxx.xxx.xxx#51641: query=
: <a href=3D"http://www.yopoll.com">www.yopoll.com</a> IN A +ED<br>29-Jan-2=
009 14:15:00.946 queries: info: client xxx.xxx.xxx.xxx#6002: query: 174.162=
.127.222.in-addr.arpa IN PTR +ED<br>
<br>Even when I start bind using the -d option I do not get what I want. <b=
r><br>Can someone help me out.<br><br>C<br><br><br><br>
--001636163e5bdc305c0461a429ec--
--===============2516519142362941337==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--===============2516519142362941337==--
JINMEI Tatuya / 神明達哉
cod3fr3ak <rvc.pobox...@gmail.com> wrote:
> channel query_log
> {
> file "/var/adm/dns-logs/dns_query.log" versions 7 size 2G;
> severity debug 3;
> print-category yes;
> print-severity yes;
> print-time yes;
> };
> According to the O Reilly book DNS and Bind (4th Edition) and the Bind 9 web
> docs the configuration above should log both the requested query and the
> response. Currently all I get back is the query:
What exactly do you mean by 'BIND 9 web doc', and which specific part
of it are you referring to? Whatever the docs or books say, the fact
is that BIND9 doesn't log replies.
BTW, next version(s) of BIND9 (at least 9.7, perhaps next minor
versions of current releases) will have the ability to log query
errors, which include logs about responses indicating an error (such
as NXDOMAINs or SERVFAILs). So, if you're particularly interested in
such unusual responses, you'll probably be happy with that.
We previously discussed in this mailing list whether we want to have
the ability of logging any responses. Opinions varied: some said that
would be great, others said "don't complicate the implementation any
more, and let packet capture tools do the job". I see the point of
both sides, and at the moment we're simply keeping the current
behavior (i.e, not logging responses).
---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
Robert Coward
Content-Type: multipart/alternative; boundary=0016362836d0412de40461b382ed
--0016362836d0412de40461b382ed
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Sorry, I should have been a been a bit more specific. In reference to the O
Reilly book:
O' Reilly DNS and Bind by Paul Albitz & Cricket Liu (4th Edition)
pg. 163 - 173 (specifically pg. 164, paragraph 4) and
pg. 405 - 421 (info about using the debug options)
The web sites I looked at were:
and
http://www.zytrax.com/books/dns
So reading your response the current version of Bind (9.6 I think) does not
have the ability to log the responses.
O Reilly DNS and Bind Paul Albitz & Cricket Liu
--0016362836d0412de40461b382ed
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Sorry, I should have been a been a bit more specific. In reference to the O=
Reilly book:<br><br>O' Reilly DNS and Bind by Paul Albitz & Cricke=
t Liu (4th Edition)<br>pg. 163 - 173 (specifically pg. 164, paragraph 4) an=
d<br>
pg. 405 - 421 (info about using the debug options)<br><br>The web sites I l=
ooked at were:<br><br><a href=3D"http://www.bind9.net/manuals" target=3D"_b=
lank">http://www.bind9.net/manuals</a><br><br>and<br><br><a href=3D"http://=
www.zytrax.com/books/dns">http://www.zytrax.com/books/dns</a><br>
<br>So reading your response the current version of Bind (9.6 I think) does=
not have the ability to log the responses.<br><br><br>O Reilly DNS and Bin=
d Paul Albitz & Cricket Liu<br><br><br>
--0016362836d0412de40461b382ed--
--===============1434946308240382868==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--===============1434946308240382868==--
David Forrest
> Sorry, I should have been a been a bit more specific. In reference to the O
> Reilly book:
>
> O' Reilly DNS and Bind by Paul Albitz & Cricket Liu (4th Edition)
> pg. 163 - 173 (specifically pg. 164, paragraph 4) and
> pg. 405 - 421 (info about using the debug options)
>
> The web sites I looked at were:
>
> http://www.bind9.net/manuals
>
> and
>
> http://www.zytrax.com/books/dns
>
> So reading your response the current version of Bind (9.6 I think) does not
> have the ability to log the responses.
>
>
> O Reilly DNS and Bind Paul Albitz & Cricket Liu
>
Using 9.6.0-P1, I enabled the querylogs option like this:
channel querylogs {
file "/var/log/dnsqueries" size 20m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category queries {querylogs; };
and it generated a quite large log file so I wrote a rather inefficient
bash script to distill it down to more readable format and end up with
this little query report:
Total A NS MX TXT PTR SOA SPF
External 740 310 1 353 2 0 73 0
Internal 33504 23758 1545 1222 5533 1445 0 0
Totals 34244 24068 1546 1575 5535 1445 73 0
Other packets: (if any not detailed)
01-Feb-2009 13:34:27.796 queries: info: client64.246.42.203#40986: view external: query: maplepark.com IN IXFR -
02-Feb-2009 11:32:54.799 queries: info: client 192.168.102.95#53722: view internal: query: _ldap._tcp.dc._msdcs.maplepark.com IN SRV +
DDos ( . IN NS) attacks follow: (if any)
(Note: I don't get any of these anymore as I have them dropped at the
firewall. They amount to about 1000 per day, and demanded some sort of
attention to make my logs readable.)
The script via cron runs daily mailing the output and it serves my
purposes for a very small office network.
--
David Forrest
St. Louis, Missouri