Re: Is it Possible to Log nxdomain Responses?

2010-11-18 Thread Anand Buddhdev 
On 17/11/2010 15:23, Stephane Bortzmeyer wrote:

> On Wed, Nov 17, 2010 at 07:48:55AM -0600,
>  Martin McCormick  wrote 
>  a message of 22 lines which said:
> 
>> It would be nice to log each nxdomain for a while so we can verify
>> that the new deligated zone we are about to install fixed the
>> problem.
> 
> May be with dnscap :
> 
> dnscap -e x -g -w nxdomain-%s-%u.pcap
>
>This will keep NXDOMAIN responses

I like dnscap. It also has an option to specify a regex to match on the
QNAME, and capture packets for certain domain names / zones. This is a
useful feature to use on servers which host more than one zone.

Regards,

Anand
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it Possible to Log nxdomain Responses?

2010-11-17 Thread Stephane Bortzmeyer 
On Wed, Nov 17, 2010 at 07:48:55AM -0600,
 Martin McCormick  wrote 
 a message of 22 lines which said:

> It would be nice to log each nxdomain for a while so we can verify
> that the new deligated zone we are about to install fixed the
> problem.

May be with dnscap :

dnscap -e x -g -w nxdomain-%s-%u.pcap
   
   This will keep NXDOMAIN responses

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Is it Possible to Log nxdomain Responses?

2010-11-17 Thread Phil Mayers 

On 17/11/10 13:48, Martin McCormick wrote:

We are chasing down some problems in which clients are trying to
resolve lookups to a domain related to Microsoft Active
Directory zones. We were able to determine that clients were
querying this AD zone when it was thought they weren't needing
to do so.

We enabled querylogging for a short time and saw a
specific test system querying the domain and we were able to
dump the cache of the master DNS running bind9.7.1 and saw
numerous nxdomains for that zone. It would be nice to log each
nxdomain for a while so we can verify that the new deligated
zone we are about to install fixed the problem.


You could maybe do this with wireshark:

tshark -R dns.flags.rcode==3 -s 1600 -i any -T fields \
 -e ip.src -e ip.dst -e dns.qry.name
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Is it Possible to Log nxdomain Responses?

2010-11-17 Thread Martin McCormick 
We are chasing down some problems in which clients are trying to
resolve lookups to a domain related to Microsoft Active
Directory zones. We were able to determine that clients were
querying this AD zone when it was thought they weren't needing
to do so.

We enabled querylogging for a short time and saw a
specific test system querying the domain and we were able to
dump the cache of the master DNS running bind9.7.1 and saw
numerous nxdomains for that zone. It would be nice to log each
nxdomain for a while so we can verify that the new deligated
zone we are about to install fixed the problem.

Thank you.

Martin McCormick WB5AGZ  Stillwater, OK 
Systems Engineer
OSU Information Technology Department Telecommunications Services Group
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users