Re: ask about bind9 logging function: How can I log the service port number (eg. 53, 443, 853) in my log of `queries` category

> On 26 Nov 2024, at 14:36, Petr Špaček wrote: > > On 26. 11. 24 10:08, n/a via bind-users wrote: >> I am a new user in bind9. >> I have setup my DNS server with port 53, port 443 (DoH), and port 853 (DoT). >> And now, in my logging file of `queries` category, one

Re: ask about bind9 logging function: How can I log the service port number (eg. 53, 443, 853) in my log of `queries` category

On 26. 11. 24 10:08, n/a via bind-users wrote: I am a new user in bind9. I have setup my DNS server with port 53, port 443 (DoH), and port 853 (DoT). And now, in my logging file of `queries` category, one query example shows as below: 26-Nov-2024 03:55:41.524 queries: info: client

ask about bind9 logging function: How can I log the service port number (eg. 53, 443, 853) in my log of `queries` category

Hello, I am a new user in bind9. I have setup my DNS server with port 53, port 443 (DoH), and port 853 (DoT). And now, in my logging file of `queries` category, one query example shows as below:     26-Nov-2024 03:55:41.524 queries: info: client @0x7f21ba9b3000 111.11.11.109#61713 (ust.hk

Re: Inconsistent Logging of zone name

zone at/IN: transferred ... transfer of 'at/IN' from ... transfer of 'at/IN' from ... zone at/IN: sending notifies (serial 1732525202) Can I file a feature request to harmonize that? Or is there some trick? As far as I see, structured logging available is not available. We have https

Inconsistent Logging of zone name

sfer of 'at/IN' from ... zone at/IN: sending notifies (serial 1732525202) Can I file a feature request to harmonize that? Or is there some trick? As far as I see, structured logging available is not available. Thanks Klaus -- Visit https://lists.isc.org/mailman/listinfo/bind-users to un

Re: Logging with Unencrypted DNS, DoT and DoH

> On 17 Sep 2024, at 22:39, Bischof, Ralph F. (MSFC-IS64)[AEGIS] via bind-users > wrote: > > Hello, > BIND 9.18.7 > RHEL 8.10 (Oopta) > I am being asked if it is possible to differentiate the percentage of > queries coming into a server that are unencrypted, DoT and DoH. > Example: For

Fwd: Logging with Unencrypted DNS, DoT and DoH

-2024 DOT 7726 5.9% 17-Sep-2024 TCP 288 0.2% 17-Sep-2024 UDP 122478 93.9% Regards! Paranoid -- Forwarded message - From: John W. Blue via bind-users Date: Tue, Sep 17, 2024 at 4:00 PM Subject: RE: Logging with Unencrypted DNS, DoT and DoH To: bind

RE: Logging with Unencrypted DNS, DoT and DoH

ndors that are able to consume the named.stats output. John From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Bischof, Ralph F. (MSFC-IS64)[AEGIS] via bind-users Sent: Tuesday, September 17, 2024 3:40 PM To: bind-users@lists.isc.org Subject: Logging with Unencrypted DNS

RE: Logging with Unencrypted DNS, DoT and DoH

(MSFC-IS64)[AEGIS] via bind-users Sent: 17 September 2024 9:40 pm To: bind-users@lists.isc.org Subject: Logging with Unencrypted DNS, DoT and DoH Hello, BIND 9.18.7 RHEL 8.10 (Oopta) I am being asked if it is possible to differentiate the percentage of queries coming into a server that are unencr

Logging with Unencrypted DNS, DoT and DoH

Hello, BIND 9.18.7 RHEL 8.10 (Oopta) I am being asked if it is possible to differentiate the percentage of queries coming into a server that are unencrypted, DoT and DoH. Example: For a given 24 hours, 50% were 53, 25% were 853 and 25% were 443. I cannot find a difference in the query logs to sh

Re: Debugging TSIG signed nsupdate problems - Specifically a logging question

mat I couldn't find any messages beyond "REFUSED" It looks like the logging in the update section requires some directive I have been unable to figure out. I did find the issue with the updates, it was a typo in the object that was allowed to be updated. Not the A nor the AAA

Re: Debugging TSIG signed nsupdate problems - Specifically a logging question

Please allow me to refocus this thread to the original question. I'm asking about the logging facility with respect to the "update" section of code in ISC's bind9 product. Yes, I understand update-policy choices/errors will generate the REFUSED response. _I'm only

Re: dns_diff_apply / "del not exact" logging

s S. Kerber via bind-users > wrote: > > Hi, > > since upgrading our secondary to 9.18.24 yesterday, I'm seeing the logging > messages below. > > 14-Feb-2024 07:52:24.850 general: error: dns_diff_apply: > wur1-ps003.ad01.geXXX/A/IN: del not exact > 1

dns_diff_apply / "del not exact" logging

Hi, since upgrading our secondary to 9.18.24 yesterday, I'm seeing the logging messages below. 14-Feb-2024 07:52:24.850 general: error: dns_diff_apply: wur1-ps003.ad01.geXXX/A/IN: del not exact 14-Feb-2024 07:53:28.732 general: error: dns_diff_apply: 1.0.e.4.1.1.0.0.2.ip6.arpa/SOA/IN: de

Re: Bind query logging

Hi Zoltan, I don't see the "default" category defined there. The default is syslog I believe. This might be why you are getting some logs in syslog: see: https://bind9.readthedocs.io/en/v9_18_11/reference.html#logging-block-definition-and-usage for further info. Perhaps

Re: Bind query logging

Hi Zoltan, Can you share your entire logging {} block? Maybe there will be some clue there. Thank you, Darren Ankney On Fri, Jun 9, 2023 at 8:14 AM Kereszt Vezeték wrote: > > Hi Everybody ! > > I have bind9 server with query logging setup. > It work well, but all of query regi

Bind query logging

Hi Everybody ! I have bind9 server with query logging setup. It work well, but all of query registration logged is /var/log/syslog file. Can I avoid that duplicated logging ? I would like see only separated log file. Related configuration ( debian11

logging query errors and timeouts

Hi, I have a bind-9.18.8 server on fedora36 and seeing quite a few timeouts to many of the same domains. I'm working with one of the domain owners to identify potential issues with their nameservers, but would also like some guidance as to whether what I'm seeing is normal. Here are a few examples.

Re: Nice new logging feature

> On 20 Dec 2021, at 17:56, Reindl Harald wrote: > > > > Am 20.12.21 um 17:53 schrieb Petr Menšík: >> sure I confused that. I read it wrong way and thought they are present >> on *BSD but not on Fedora. I know some messages are removed in Fedora >> builds. I apologize for a confusion. Nobody

Re: Nice new logging feature

45.79.19.196#53" at the end of lame-logs maybe because of my logging configuration which is unchanged for years logging {  channel default_log  {   file "data/named.log" versions 0 size 1m;   severity dynamic;   print-time   yes;   print-cate

Re: Nice new logging feature

ve them on Fedora as you see in my quote and it's not about the > messsages as such but about "45.79.19.196#53" at the end of lame-logs > > maybe because of my logging configuration which is unchanged for years > > logging > { >  channel default_log >  { >   f

Re: Nice new logging feature

something! Borja don't have that in older named versions and does not use Fedora, i have them on Fedora as you see in my quote and it's not about the messsages as such but about "45.79.19.196#53" at the end of lame-logs maybe because of my logging configuration which is

Re: Nice new logging feature

Hi Borja, In fact there is ancient patch [1] still applied to Fedora builds, which hides some lame servers warnings. It makes some lame servers category logs as debug only, shown only when -d 1 option is used. I was thinking about removing this change some time ago and replace it with just config

Re: Nice new logging feature

tartup is really all Hmm. Doesn’t look like that, I have compared the build options and it doesn’t explain it. I can confirm the same logs are appearing in my 'lamers.log' file on a FreeBSD 12.2 system running BIND 9.16.22 (about to be upgraded). Maybe your `logging {}` stanza is

Re: Nice new logging feature

> On 16 Dec 2021, at 14:55, Reindl Harald wrote: > > > > Am 16.12.21 um 14:49 schrieb Borja Marcos: >>> >>> bind-9.16.23-1.fc34.x86_64 >>> >>> 16-Dec-2021 13:08:10.598 lame-servers: connection refused resolving >>> 'ns2.serverion.eu/A/IN': 94.228.210.122#53 >>> 16-Dec-2021 13:11:29.269 lam

Re: Nice new logging feature

Am 16.12.21 um 14:49 schrieb Borja Marcos: On 16 Dec 2021, at 13:15, Reindl Harald wrote: Am 16.12.21 um 10:02 schrieb Borja Marcos: Hi, I am trying 9.17 at home and I just noticed a very useful new lame-servers log message: 2021-12-16T08:08:20.505Z lame-servers: timed out resolving ’stupi

Re: Nice new logging feature

> On 16 Dec 2021, at 13:15, Reindl Harald wrote: > > > > Am 16.12.21 um 10:02 schrieb Borja Marcos: >> Hi, >> I am trying 9.17 at home and I just noticed a very useful new lame-servers >> log message: >> 2021-12-16T08:08:20.505Z lame-servers: timed out resolving >> ’stupiddomain.com/ANY/IN'

Re: Nice new logging feature

Am 16.12.21 um 10:02 schrieb Borja Marcos: Hi, I am trying 9.17 at home and I just noticed a very useful new lame-servers log message: 2021-12-16T08:08:20.505Z lame-servers: timed out resolving ’stupiddomain.com/ANY/IN': X.Y.Z.T#53 I haven’t seen this on 9.16. Are there any plans to inclu

Re: Nice new logging feature

> On 16 Dec 2021, at 10:02, Borja Marcos wrote: > > > Hi, > > I am trying 9.17 at home and I just noticed a very useful new lame-servers > log message: > > 2021-12-16T08:08:20.505Z lame-servers: timed out resolving > ’stupiddomain.com/ANY/IN': X.Y.Z.T#53 > > I haven’t seen this on 9.16. A

Nice new logging feature

Hi, I am trying 9.17 at home and I just noticed a very useful new lame-servers log message: 2021-12-16T08:08:20.505Z lame-servers: timed out resolving ’stupiddomain.com/ANY/IN': X.Y.Z.T#53 I haven’t seen this on 9.16. Are there any plans to include it? It would _really_ be useful. Our setup

Re: DNSTAP overload condition logging

Hi Chris, Chris Buxton writes: [[PGP Signed Part:Undecided]] Hi Carsten, From our reading of the code, it appears that when the buffer fills up, it refuses to accept new entries. Older events are not overwritten, but newer events are refused. The fstrm_iothr_submit() function can return su

Re: DNSTAP overload condition logging

Hi Carsten, From our reading of the code, it appears that when the buffer fills up, it refuses to accept new entries. Older events are not overwritten, but newer events are refused. The fstrm_iothr_submit() function can return success, failure, or “fstrm_res_again”, which indicates the queue is

DNSTAP overload condition logging

Hi, how can a BIND 9 operator detect an DNSTAP overload condition? My understanding is that BIND 9 worker threads write DNSTAP information into a circular buffer in memory, which is that read by a different thread to write out the data (to file or socket). Is there any indication to the user

Re: Logging statements w.r.t. view in Bind 9.16.18

The rationale to separate recursive and non-recursive (typically authoritative) services as you describe is largely to do with separating logging, exactly as in this use case. There are also reasons of performance sometimes, but it doesn’t sound like this fits that reason. You could also see

Re: Logging statements w.r.t. view in Bind 9.16.18

- From: bind-users@lists.isc.org To: bind-users@lists.isc.org Sent: Tuesday, August 24, 2021 5:37:35 PM Subject: Re: Logging statements w.r.t. view in Bind 9.16.18 Hi there, On Tue, 24 Aug 2021, Gaurav Kansal wrote: > I want a clarity whether we can have individual logging statement > pe

Re: Logging statements w.r.t. view in Bind 9.16.18

Hi there, On Tue, 24 Aug 2021, Gaurav Kansal wrote: I want a clarity whether we can have individual logging statement per view basis ? Whatever i found on google, i think we can't. My use case for separate logging statement is as follows - In my recursive server, i have 2 views, one f

Logging statements w.r.t. view in Bind 9.16.18

Hi guys, I want a clarity whether we can have individual logging statement per view basis ? Whatever i found on google, i think we can't. My use case for separate logging statement is as follows - In my recursive server, i have 2 views, one for my internal clients and one for Interne

Re: A question on logging

Also… Logging is the topic most often searched on in our knowledge base. We have one article on logging that is read more often than any other, that we are planning to migrate to the ARM. https://kb.isc.org/docs/aa-01526 That article also references a webinar Carsten Strotmann presented

Re: A question on logging

On 16/06/2021 20:36, ToddAndMargo via bind-users wrote: Hi Todd, > Questions: > > 1) is there some pruning of old stuff mechanism to >    keep my drive from being over run with logging >    data? Yes, see section 4.2.9 of the BIND manual: https://bind9.readthedocs.io/ &g

A question on logging

Hi All, In my named.conf logging { channel update_debug { # file "/var/named/chroot/var/named/slaves/named-update-debug.log"; file "slaves/named-update-debug.log"; severity debug 3; print-category yes;

Re: No logging of failed queries

On 2021-04-14 04:38, Gaurav Kansal wrote: Is there a way, by which we can log denied statement w.r.t. view somewhere in logging ? The thing is, your view did not deny anything. Your non-.IN client simply does not match the match-clients list for that view. On 14/04/21 1:48 am, ma...@isc.org

Re: No logging of failed queries

Hi Mark, Is there a way, by which we can log denied statement w.r.t. view somewhere in logging ? Regards, Gaurav On 14/04/21 1:48 am, ma...@isc.org wrote: Real world configurations would have a catch all view after the more specific views. Add one. -- Mark Andrews On 13 Apr 2021, at 22

Re: No logging of failed queries

Real world configurations would have a catch all view after the more specific views. Add one. -- Mark Andrews > On 13 Apr 2021, at 22:41, Sachchidanand Upadhyay via bind-users > wrote: > >  > Hi, > >I am using bind's geoip feature, created one ACL to allow country IN. I am > not gett

No logging of failed queries

Hi, I am using bind's geoip feature, created one ACL to allow country IN. I am not getting logs of a failed query if the client IP is other than than country IN. Rest all is working fine, getting logs of successful queries. Below find the config details: BIND 9.16.13 (Stable Release) runni

Re: dnstap shows little logging at debug 10

Greetings. On Tue, 2 Mar 2021, Adam Augustine wrote: # ncat -l -U /var/opt/isc/scls/isc-bind/log/named/dnstap.sock I "chown named.named ./dnstap.sock" : But regardless I don't get anything from the pipe when using the normal "systemctl start isc-bind-named.service" followed by some "dig" comman

Re: dnstap shows little logging at debug 10

ything. > > I am reasonably confident that I am doing something boneheaded somewhere, > likely a typo in my config or bad permission somewhere, but I admit I can't > see it and without any error messages or debug information I am struggling. > The config is pret

Re: dnstap shows little logging at debug 10

ee it and without any error messages or debug information I am struggling. The config is pretty simple, just the option stanza below and logging settings (mostly copy-pasted from the ISC website just in case). In an effort to figure out the problem I went so far as to: # strace -a 12

Re: dnstap shows little logging at debug 10

utput unix "/var/opt/isc/scls/isc-bind/run/named/dnstap.sock"; > dnstap-output unix "/var/opt/isc/scls/isc-bind/log/named/dnstap.sock"; > dnstap-identity "dnstap01.ldschurch.org"; > dnstap-version "bind-9.16.12"; > }; >

dnstap shows little logging at debug 10

; dnstap-identity "dnstap01.ldschurch.org"; dnstap-version "bind-9.16.12"; }; logging { [SNIP] channel dnstap_log { file "/var/opt/isc/scls/isc-bind/log/named/dnstap" versions 3 size 20m; print-time yes; print-catego

Re: Logging on a Bind server

to questions like this: 1. passive DNS, which captures cache-miss query traffic from a resolver to the big bad internet. There are two flavours: 1a. a tcpdump tap between the resolver and the internet - the classic passive DNS setup 1b. use dnstap, which is built-in to BIND In both cases you wil

Re: Logging on a Bind server

> On 20 Oct 2020, at 18:02, Chuck Aurora wrote: > > On 2020-10-20 10:34, Borja Marcos wrote: >>> On 20 Oct 2020, at 17:28, Rick Dicaire wrote: >>> On Tue, Oct 20, 2020 at 10:17 AM wrote: >>> Dear BIND-Users, >>> Does someone has an idea, which log I have to activate. > > While everything Bo

Re: Logging on a Bind server

then rather than dnstap/logging, I'd probably follow Kevin's advice about RPZ, if it turned out to be a valid concern. I think if your vendor is as good as you hope they are (and as they surely claim to be) they would have information about setting up RPZ. Do you have querylog enabled?

Re: Logging on a Bind server

tance will potentially reach out to that nameserver to resolve > the name. > > As far as BIND logging, I don't know the best way to track this, offhand, > short of cranking up debug to ridiculous levels, and wading through the > verbose output. This might take significant reso

Re: Logging on a Bind server

> On 20 Oct 2020, at 17:28, Rick Dicaire wrote: > > On Tue, Oct 20, 2020 at 10:17 AM wrote: > Dear BIND-Users, > > Does someone has an idea, which log I have to activate. > > > Do you have querylog enabled? Querylog is not enough. It will tell you which clients are sending which queries,

Re: Logging on a Bind server

On Tue, Oct 20, 2020 at 10:17 AM wrote: > Dear BIND-Users, > > Does someone has an idea, which log I have to activate. > Do you have querylog enabled? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list IS

Re: Logging on a Bind server

looked up a name in one of those 3,000+ domains, your BIND instance will potentially reach out to that nameserver to resolve the name. As far as BIND logging, I don't know the best way to track this, offhand, short of cranking up debug to ridiculous levels, and wading through the verbose o

Logging on a Bind server

Dear BIND-Users, We use in our environment a BIND Server. It works properly. One Day it came an alert from Cybereason (Antivirus-Software), that our Bind server tried to Connect to a suspicious domain "ns2.honeybot.us". But I couldn't find the log, which domain the BIND server was searching for,

Re: Debug logging for auto-dnssec inline signing

Tony Finch wrote:- >> What "category" should one be logging in order to get details of DNSSEC >> inline signing when running Bind 9.8.11? > >I guess you mean 9.11.8 :-) The 9.8 branch ended with 9.8.8 and it has >been unsupported for ages. Correct - I need to p

Re: Debug logging for auto-dnssec inline signing

Matthew Richardson wrote: > What "category" should one be logging in order to get details of DNSSEC > inline signing when running Bind 9.8.11? I guess you mean 9.11.8 :-) The 9.8 branch ended with 9.8.8 and it has been unsupported for ages. Yes, there is not very much loggin

Debug logging for auto-dnssec inline signing

What "category" should one be logging in order to get details of DNSSEC inline signing when running Bind 9.8.11? I have an authoratitive master server with a number of domains set with:- inline-signing yes; auto-dnssec maintain; and have a suspicion that Bind has simply

Re: Logging of notify sending

Greg Rivers wrote: > As Rick Dicaire said previously, "Notifications themselves don't use TSIG". Depends on your configuration :-) 28-May-2019 01:43:13.162 notify: info: client @0x5591b0877080 2001:630:212:8::d:aa#31085/key tsig-ipreg: view main: received notify for zone 'cam.ac

Re: Logging of notify sending

On Sun, May 26, 2019 at 6:05 PM Rick Dicaire wrote: > dns2 named[23971]: client @0x7fa83ce341c0 192.168.15.1#37178/key > gw-zones: received notify for zone 'ldev': TSIG 'gw-zones' > > Seems I got it to work. Thanks Axel, and list. > While I see the receiving slave show TSIG in log message, does

Re: Logging of notify sending

dns2 named[23971]: client @0x7fa83ce341c0 192.168.15.1#37178/key gw-zones: received notify for zone 'ldev': TSIG 'gw-zones' Seems I got it to work. Thanks Axel, and list. On Sun, May 26, 2019 at 4:37 PM Greg Rivers wrote: > On Sunday, May 26, 2019 11:51:38 AM CDT Axel Rau wrote: > > > > > Am 2

Re: Logging of notify sending

On Sunday, May 26, 2019 11:51:38 AM CDT Axel Rau wrote: > > > Am 26.05.2019 um 18:38 schrieb Rick Dicaire : > > > A quick google search of "bind also-notify key" returns: > > > > https://kb.isc.org/docs/aa-00851 > > https://kb.isc.org/docs/aa-00296 > > > > Looks like keys provide a means to dif

Re: Logging of notify sending

> Am 26.05.2019 um 18:38 schrieb Rick Dicaire : > A quick google search of "bind also-notify key" returns: > > https://kb.isc.org/docs/aa-00851 > https://kb.isc.org/docs/aa-00296 > > Looks like keys provide a means to differentiate views. ARM for bind 9.14.1 says on page 24: For example, a k

Re: Logging of notify sending

> On Sun, May 26, 2019 at 3:43 AM Axel Rau wrote: > So what for is the optional key in the also-notify statement? A quick google search of "bind also-notify key" returns: https://kb.isc.org/docs/aa-00851 https://kb.isc.org/docs/aa-00296 Looks like keys provide a means to differentiate views. _

Re: Logging of notify sending

> Am 26.05.2019 um 00:24 schrieb Greg Rivers : > > On Saturday, May 25, 2019 4:07:45 PM CDT Axel Rau wrote: >>> Am 25.05.2019 um 22:30 schrieb Anand Buddhdev : >>> 25-May-2019 10:00:02.589 notify: zone 2.in-addr.arpa/IN: sending notifies >>> (serial 1558778402) >> >> Yes, but even with debug 8

Re: Logging of notify sending

On Saturday, May 25, 2019 4:07:45 PM CDT Axel Rau wrote: > > Am 25.05.2019 um 22:30 schrieb Anand Buddhdev : > > 25-May-2019 10:00:02.589 notify: zone 2.in-addr.arpa/IN: sending notifies > > (serial 1558778402) > > Yes, but even with debug 8, I get only this summary. > No chance to get an log entry

Re: Logging of notify sending

> Am 25.05.2019 um 22:30 schrieb Anand Buddhdev : > > 25-May-2019 10:00:02.589 notify: zone 2.in -addr.arpa/IN: > sending > notifies (serial 1558778402) Yes, but even with debug 8, I get only this summary. No chance to get an log entry per server and the TSIG key in use. Thanks,

Re: Logging of notify sending

0 > 192.168.15.13#52447/key gw-zones (dhcp.ldev): transfer of 'dhcp.ldev/IN': > IXFR started: TSIG gw-zones (serial 2017051319 -> 2017051320) > May 25 13:04:28 dns2 named[23971]: zone dhcp.ldev/IN: transferred serial > 2017051320: TSIG 'gw-zon

Re: Logging of notify sending

On 25/05/2019 18:26, Axel Rau wrote: Hi Axel, > category notify seems to cover reception of notifies. > How can I log sending of notifies? > I want to check, if the TSIG key is being used for the notify. > > tcpdump seems not to show any keys. BIND *does* log sending notifies, in the "notify" c

Re: Logging of notify sending

IXFR started: TSIG gw-zones (serial 2017051319 -> 2017051320) > May 25 13:04:28 dns2 named[23971]: zone dhcp.ldev/IN: transferred serial > 2017051320: TSIG 'gw-zones‘ This is logging of zone transfer, not sending of notify. Axel --- PGP-Key:29E99DD6 ☀ computing @ chaos claudius

Re: Logging of notify sending

On Sat, May 25, 2019 at 12:27 PM Axel Rau wrote: > Hi all, > > category notify seems to cover reception of notifies. > How can I log sending of notifies? > I want to check, if the TSIG key is being used for the notify. > > Have you looked at syslog? You should see similar to: May 25 13:04:28 dn

Logging of notify sending

Hi all, category notify seems to cover reception of notifies. How can I log sending of notifies? I want to check, if the TSIG key is being used for the notify. tcpdump seems not to show any keys. Thanks, Axel --- PGP-Key:29E99DD6 ☀ computing @ chaos claudius __

Re: Logging ECS information for RPZ rewrites

non-BIND ways that you might accomplish this: (1) Do the logging on the RPZ redirection target server. (2) Get dnsdist to log responses that have been rewritten by RPZ. Tony. -- f.anthony.n.finchhttp://dotat.at/ public services available on equal terms to all

Logging ECS information for RPZ rewrites

I'm working on creating a highly-available group of BIND servers to serve as caching nameservers with RPZs built from various threat intel feeds to help prevent unwanted activity on our network. The architecture I've been working with so far is a pair of front-end proxy servers running keepalived

Re: BIND and Windows DNS logging and archiving

this useful. > > Mick > > On Tue, Aug 15, 2017 at 5:29 PM, Mick Lee wrote: > >> Forgot to CC the list. >> >> -- Forwarded message -- >> From: Mick Lee >> Date: Sat, Aug 12, 2017 at 6:55 PM >> Subject: Re: BIND and Windows DNS logg

Re: RPZ logging

t;> On Sat, Apr 28, 2018 at 11:29 PM, Blason R wrote: >> >>> Hi Folks, >>> >>> I have been struggligng with exact RPZ/Bind option/statement which >>> enables the logging for RPZ and shows if the query matches RPZ zone. >>> >>> Can

Re: RPZ logging

struggligng with exact RPZ/Bind option/statement which >> enables the logging for RPZ and shows if the query matches RPZ zone. >> >> Can someone please help me? >> >> > I think the required rpz logging related lines in my named.conf are: > > logging { > &g

Re: RPZ logging

On Sat, Apr 28, 2018 at 11:29 PM, Blason R wrote: > Hi Folks, > > I have been struggligng with exact RPZ/Bind option/statement which enables > the logging for RPZ and shows if the query matches RPZ zone. > > Can someone please help me? > > I think the required rpz log

RPZ logging

Hi Folks, I have been struggligng with exact RPZ/Bind option/statement which enables the logging for RPZ and shows if the query matches RPZ zone. Can someone please help me? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to

Re: BIND and Windows DNS logging and archiving

ND and Windows DNS logging and archiving > To: Phil Mayers > > > Thanks, > > I checked and it doesn't look like dnscap would work with little change :( > Anyway, my colleague has now implemented a similar tool called > dns-activity-logger. > > I mention it here si

Re: Impossible to activate logging

On 01/18/2018 01:01 PM, Anand Buddhdev wrote: I don't know what the function "isc_file_isplainfile" checks for, but perhaps the executable bits on the file are causing the failure. Log files shouldn't be executable, so you normally need mode 0644 for them. Try changing the mode, and seeing if

Re: Impossible to activate logging

e > '/var/log/bind/bind.log' failed: permission denied > Jan 18 10:21:13 bind named[893]: configuring logging: permission denied > Jan 18 10:21:13 bind named[893]: loading configuration: permission denied > Jan 18 10:21:13 bind named[893]: exiting (due to fatal error) > ... >

Impossible to activate logging

named[893]: configuring logging: permission denied Jan 18 10:21:13 bind named[893]: loading configuration: permission denied Jan 18 10:21:13 bind named[893]: exiting (due to fatal error) ... And I do not use apparmor and : root@bind:~# ls -lh /var/log total 512K -rw-r--r-- 1 root root 7.9K De

Re: R: Logging resolved IP

Job wrote: > > Do you also know if it can slow down performances or it is fully transparent? I haven't given dnstap a serious test I am afraid. Tony. -- f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode Forties, Cromarty, Forth, Tyne, Dogger: South or southwest, becoming cyclonic in

R: Logging resolved IP

>Or (on 9.11 and later) use dnstap, which should be a good deal faster. Dear Tony, thank you. It seems like a "bridge" that permit resolved IP logging. Do you also know if it can slow down performances or it is fully transparent? Thank

Re: Logging resolved IP

Mukund Sivaraman wrote: > On Tue, Sep 19, 2017 at 05:16:36PM +0200, Job wrote: > > > > is there a way to log resolved IP in Bind log files? > > I am able to do it with tcpdump, but i do not like a "sniffering" solution! > > Turn up logging level to over 10,

Re: Logging resolved IP

strange as need , see channels inside logging engine is user query log , create a log channel for queries done it does not change if done from a client or another dns really it is a huge volume log (depending on number of queries) From: bind-users on

Re: Logging resolved IP

On Tue, Sep 19, 2017 at 05:16:36PM +0200, Job wrote: > Hi guys, > > is there a way to log resolved IP in Bind log files? > Example: > www.google.com 4.3.2.1 > > I am able to do it with tcpdump, but i do not like a "sniffering" solution! Turn up logging level to o

Logging resolved IP

Hi guys, is there a way to log resolved IP in Bind log files? Example: www.google.com 4.3.2.1 I am able to do it with tcpdump, but i do not like a "sniffering" solution! Best, F ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsu

Fwd: BIND and Windows DNS logging and archiving

Forgot to CC the list. -- Forwarded message -- From: Mick Lee Date: Sat, Aug 12, 2017 at 6:55 PM Subject: Re: BIND and Windows DNS logging and archiving To: Phil Mayers Thanks, I checked and it doesn't look like dnscap would work with little change :( Anyway, my coll

Re: BIND and Windows DNS logging and archiving

On 23/07/2017 15:16, Mick Lee wrote: I have a colleague who has said he has a parts of a PCAP to BIND query log agent that runs on UNIX platforms, and he is happy to port that to Windows for me - he's actually working on it now (for a few beers :) ). dnscap basically does the same thing. No i

Re: BIND and Windows DNS logging and archiving

th a limit. It also logs responses for certain record types which is nice. I'll give that a try, sounds like it will give me query logging formatted logs, which I can push into pretty much anything :) Many thanks Mick On 23 Jul 2017 3:06 p.m., "Phil Mayers" wrote: On 22/07/201

Re: BIND and Windows DNS logging and archiving

On 22/07/2017 07:33, Mick Lee wrote: Hi Guys, Can anyone offer any advice based on their experience? Well, if I understand correctly, your main problem is the windows boxes running windows DNS, so this is not a bind problem. You might be better asking elsewhere. However, honestly I would c

Re: BIND and Windows DNS logging and archiving

w know to be bad. I am currently using query logging on Linux, and Syslog to move the data around, and simple regex matching to look for domains, but I need to get the data from Windows servers and the current tooling is not performant/scalable. I could just enable Windows DNS logging and try to ge

Re: BIND and Windows DNS logging and archiving

;t change or re-compiled I'm afraid) and Windows DNS, and I have a need to log DNS queries from about 100 or so of these types of servers, to identify queries to specific domains, and to be able to go back through and search for queries to domains which we now know to be bad. I am currently using qu

BIND and Windows DNS logging and archiving

ervers, to identify queries to specific domains, and to be able to go back through and search for queries to domains which we now know to be bad. I am currently using query logging on Linux, and Syslog to move the data around, and simple regex matching to look for domains, but I need to get the data fr

Re: Stop Reverse resolution query Logging

On Thu, Jun 01, 2017 at 04:28:23PM +0200, Job wrote: > is there a way in Bind 9 to stop logging (to bind.log standard > file) all the in-addr.arpa queries? What "standard" is this? The default logging for named goes to syslog, and from there it's up to your syslogd

RE: Stop Reverse resolution query Logging

#x27;es and the like. - Kevin -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Job Sent: Thursday, June 01, 2017 10:28 AM To: bind-users@lists.isc.org Subject: Stop Reverse resolution query Logging Dear guys

  1   2   3   4   >