On 19/10/2020 16:14, Luis Daniel Lucio Quiroz via Pdns-users wrote:
I am trying to build a fail2ban rule. Because my PDNS is not a public
DNS, but it just hosts specific zones nobody should be querying
anything else but those specific zones, right?
I can't find an option to log those queries. PDNS works okay, it
refuses other zones but I want to log that.
PDNS recursor or authoritative? From context I am going to guess
authoritative.
Personally I wouldn't do it. The extra load from logging all queries is
likely *much* higher than the load of sending a few REFUSED answers, if
and when they occur.
There is query logging:
https://doc.powerdns.com/authoritative/settings.html#query-logging
# dig +short @localhost example.com
# grep example.com /var/log/syslog
Oct 19 18:17:32 ns-auth pdns_server[7420]: Lookup for 'SOA' of
'example.com' within zoneID -1
Oct 19 18:17:32 ns-auth pdns_server[7420]: Found no authoritative zone
for 'example.com' and/or id 0
... but it's really a debugging feature, and it appears not to show the
client source IP address, which I expect is what you want. (Tested with
pdns-server 4.3.0)
I think what you'd have to do is to put dnsdist in front, which supports
high-performance protobuf <https://dnsdist.org/reference/protobuf.html>
logging and dnstap <https://dnsdist.org/reference/dnstap.html> logging.
The recursor does have those features built-in, BTW.
Regards,
Brian.
_______________________________________________
Pdns-users mailing list
[email protected]
https://mailman.powerdns.com/mailman/listinfo/pdns-users
