Bind 9 query logging
Sorry, I should have been a been a bit more specific. In reference to the O Reilly book: O' Reilly DNS and Bind by Paul Albitz Cricket Liu (4th Edition) pg. 163 - 173 (specifically pg. 164, paragraph 4) and pg. 405 - 421 (info about using the debug options) The web sites I looked at were: http://www.bind9.net/manuals and http://www.zytrax.com/books/dns So reading your response the current version of Bind (9.6 I think) does not have the ability to log the responses. O Reilly DNS and Bind Paul Albitz Cricket Liu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9 query logging
On Fri, 30 Jan 2009, Robert Coward wrote:
Sorry, I should have been a been a bit more specific. In reference to the O
Reilly book:
O' Reilly DNS and Bind by Paul Albitz Cricket Liu (4th Edition)
pg. 163 - 173 (specifically pg. 164, paragraph 4) and
pg. 405 - 421 (info about using the debug options)
The web sites I looked at were:
http://www.bind9.net/manuals
and
http://www.zytrax.com/books/dns
So reading your response the current version of Bind (9.6 I think) does not
have the ability to log the responses.
O Reilly DNS and Bind Paul Albitz Cricket Liu
Using 9.6.0-P1, I enabled the querylogs option like this:
channel querylogs {
file /var/log/dnsqueries size 20m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category queries {querylogs; };
and it generated a quite large log file so I wrote a rather inefficient
bash script to distill it down to more readable format and end up with
this little query report:
Total A NS MX TXT PTR SOA SPF
External 740 3101 353 2 0 73 0
Internal 33504 23758 15451222553314450 0
Totals 34244 24068 154615755535144573 0
Other packets: (if any not detailed)
01-Feb-2009 13:34:27.796 queries: info: client64.246.42.203#40986: view
external: query: maplepark.com IN IXFR -
02-Feb-2009 11:32:54.799 queries: info: client 192.168.102.95#53722: view
internal: query: _ldap._tcp.dc._msdcs.maplepark.com IN SRV +
DDos ( . IN NS) attacks follow: (if any)
(Note: I don't get any of these anymore as I have them dropped at the
firewall. They amount to about 1000 per day, and demanded some sort of
attention to make my logs readable.)
The script via cron runs daily mailing the output and it serves my
purposes for a very small office network.
--
David Forrest
St. Louis, Missouri
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Bind 9 query logging
I am trying to configure query logging on bind 9. Currently I have the
following in my configuration file:
logging {
channel warning_log
{
file /var/adm/dns-logs/dns_warnings.log versions 7 size
2G;
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel query_log
{
file /var/adm/dns-logs/dns_query.log versions 7 size 2G;
severity debug 3;
print-category yes;
print-severity yes;
print-time yes;
};
category default { warning_log; } ;
category queries { query_log; };
category lame-servers { null; };
category security { null; };
category unmatched { null; };
};
According to the O Reilly book DNS and Bind (4th Edition) and the Bind 9 web
docs the configuration above should log both the requested query and the
response. Currently all I get back is the query:
29-Jan-2009 14:15:00.666 queries: info: client xxx.xxx.xxx.xxx#56766: query:
49.105.135.67.in-addr.arpa IN PTR +
29-Jan-2009 14:15:00.730 queries: info: client xxx.xxx.xxx.xxx#45016: query:
m1.search.yahoo-ht3.akadns.net IN A +ED
29-Jan-2009 14:15:00.821 queries: info: client xxx.xxx.xxx.xxx#48060: query:
liveupdate.symantec.d4p.net IN A +ED
29-Jan-2009 14:15:00.882 queries: info: client xxx.xxx.xxx.xxx#62480: query:
businessweek.112.2o7.net IN A +ED
29-Jan-2009 14:15:00.891 queries: info: client xxx.xxx.xxx.xxx#22652: query:
a973.g.akamai.net IN A +ED
29-Jan-2009 14:15:00.900 queries: info: client xxx.xxx.xxx.xxx#49831: query:
stats.surfaid.ihost.com IN A +ED
29-Jan-2009 14:15:00.924 queries: info: client xxx.xxx.xxx.xxx#5606: query:
www.pic2009.org IN A +ED
29-Jan-2009 14:15:00.936 queries: info: client xxx.xxx.xxx.xxx#51641: query:
www.yopoll.com IN A +ED
29-Jan-2009 14:15:00.946 queries: info: client xxx.xxx.xxx.xxx#6002: query:
174.162.127.222.in-addr.arpa IN PTR +ED
Even when I start bind using the -d option I do not get what I want.
Can someone help me out.
C
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9 query logging
At Thu, 29 Jan 2009 14:33:31 -0500,
cod3fr3ak rvc.pobox+unixli...@gmail.com wrote:
channel query_log
{
file /var/adm/dns-logs/dns_query.log versions 7 size 2G;
severity debug 3;
print-category yes;
print-severity yes;
print-time yes;
};
According to the O Reilly book DNS and Bind (4th Edition) and the Bind 9 web
docs the configuration above should log both the requested query and the
response. Currently all I get back is the query:
What exactly do you mean by 'BIND 9 web doc', and which specific part
of it are you referring to? Whatever the docs or books say, the fact
is that BIND9 doesn't log replies.
BTW, next version(s) of BIND9 (at least 9.7, perhaps next minor
versions of current releases) will have the ability to log query
errors, which include logs about responses indicating an error (such
as NXDOMAINs or SERVFAILs). So, if you're particularly interested in
such unusual responses, you'll probably be happy with that.
We previously discussed in this mailing list whether we want to have
the ability of logging any responses. Opinions varied: some said that
would be great, others said don't complicate the implementation any
more, and let packet capture tools do the job. I see the point of
both sides, and at the moment we're simply keeping the current
behavior (i.e, not logging responses).
---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
