You can put query logging off to its' own channel and put that to a separate
log file.
logging {On Wed, Oct 1, 2008 at 6:52 AM, Martin McCormick <[EMAIL PROTECTED]>wrote: > We've got a busy DNS that sometimes receives 1-million > queries per hour so I am going at this _carefully_. The object > here is to save a minute or so's worth of queries and then check > to see if certain systems have made queries. This sounds like an > Orwellian scheme, but the idea is to listen for silence. If our > 9 Microsoft Exchange servers haven't asked bind for something in > a minute, probably much less, something is terribly wrong. This > could be either with the servers themselves or the network > connection giving them access to the DNS. Right now, I am not > worried about that. I would like to have a stream or file of > nothing but queries to essentially grep it for client addresses. > If we see them, the servers are doing something. If not, raise > the alarm! > > I turned query logging on on a test system and did a > couple of queries and the log entry is what we need but it is > also in the same log file as zone transfers and updates. On our > busy DNS, I would like to capture the query logs, check them for > the addresses of critical systems, and then discard them as this > could be like filling up thimbles from a fire hose. > > The other possibility might be to set up a slave DNS or > slaves to serve only those systems we are monitoring but that > starts to possibly introduce more chances for mishaps than it > would prevent. The older I get, the more I hate needless > complexity. It makes it harder to fix at 3 o'clock in the > morning when the phone rings. > > Thanks for any ideas, especially on whether it is > possible to isolate just queries in somewhat the same way the > security log is handled. > > Martin McCormick WB5AGZ Stillwater, OK > Systems Engineer > OSU Information Technology Department Telecommunications Services Group > > -- -Ben Croswell
