Bind 9.2.4 and logging
Henning Markussen
hm at mib.dk
Sat Mar 8 11:58:43 UTC 2008
Hi Chris and others
I think in 9.2.4 the logging is a bit different, since I can't reproduce
the expamle you gave, and Mark wrote that upgrade was the way to go. But
since this is currently not a option. I looked around and I found dnsdump.
http://dns.measurement-factory.com/tools/dnsdump/
That and some scripting gave the output I was looking for :)
- Henning
Chris Buxton wrote:
> You can certainly find out what queries were recursive. Just look in
> your query logs for entries ending in "+" (or "+E", "+S", or "+SE").
> For example:
>
> 05-Mar-2008 13:05:36.362 queries: info: client 127.0.0.1#61683: query: www.menandmice.com
> IN A +
> 05-Mar-2008 13:05:41.642 queries: info: client 127.0.0.1#61688: query: www.menandmice.com
> IN A -
> 05-Mar-2008 13:12:46.337 queries: info: client 127.0.0.1#61753: query: www.menandmice.com
> IN A -S
> 05-Mar-2008 13:13:35.024 queries: info: client 127.0.0.1#61758: query: www.menandmice.com
> IN A -SE
> 05-Mar-2008 13:15:34.256 queries: info: client 127.0.0.1#61764: query: www.menandmice.com
> IN A +E
>
> The first query was recursive, the second not. This will generally
> tell you what queries are coming from local stub resolvers (recursive,
> +) and from resolving name servers (iterative, -). However, note that
> a name server that forwards a query, rather than conducting its own
> recursion, sends a recursive query.
>
> Also note that it would be exceptionally odd to see a recursive query
> with the S or E flags - this would almost always come from a
> forwarding name server, or from someone playing games or testing.
>
> As to your earlier misunderstanding, the three categories you named
> are described thusly in the ARM:
> ___
>
> client: Processing of client requests.
>
> resolver: DNS resolution, such as the recursive lookups performed on
> behalf of clients by a caching name server.
>
> queries: Specify where queries should be logged to. At startup,
> specifying the category queries will also enable query logging unless
> querylog option has been specified. The query log entry reports the
> client’s IP address and port number, and the query name, class and
> type. It also reports whether the Recursion Desired flag was set (+ if
> set, - if not set), EDNS was in use (E) or if the query was signed (S).
> client 127.0.0.1#62536: query: www.example.com IN AAAA +SE
> client ::1#62537: query: www.example.net IN AAAA -SE
> ___
>
> It is my understanding that log entries of categories "client" and
> "resolver" will only be at debug level. For example, if I set my
> logging severity threshold to debug 5, then send it a query for some
> name it doesn't have in cache, I get dozens of resolver category
> messages at debug 3, plus one or two at debug 1. Category "client"
> contains about 10 messages of level debug 3, plus one of debug 5. Here
> are the client category messages:
>
> 05-Mar-2008 13:18:22.519 client: debug 3: client 127.0.0.1#61773: UDP
> request
> 05-Mar-2008 13:18:22.519 client: debug 5: client 127.0.0.1#61773:
> using view '_default'
> 05-Mar-2008 13:18:22.520 client: debug 3: client 127.0.0.1#61773: query
> 05-Mar-2008 13:18:22.520 client: debug 3: client 127.0.0.1#61773:
> replace
> 05-Mar-2008 13:18:22.520 client: debug 3: client @0x5bf000: create
> 05-Mar-2008 13:18:22.521 client: debug 3: client @0x5bf000: udprecv
> 05-Mar-2008 13:18:23.194 client: debug 3: client 127.0.0.1#61773: send
> 05-Mar-2008 13:18:23.194 client: debug 3: client 127.0.0.1#61773: sendto
> 05-Mar-2008 13:18:23.194 client: debug 3: client 127.0.0.1#61773:
> senddone
> 05-Mar-2008 13:18:23.194 client: debug 3: client 127.0.0.1#61773: next
> 05-Mar-2008 13:18:23.194 client: debug 3: client 127.0.0.1#61773:
> endrequest
>
> As you can see, these are not of much use unless you're debugging
> BIND's behavior.
>
> Chris Buxton
> Professional Services
> Men & Mice
> Address: Noatun 17, IS-105, Reykjavik, Iceland
> Phone: +354 412 1500
> Email: cbuxton at menandmice.com
> www.menandmice.com
>
> Men & Mice
> We bring control and flexibility to network management
>
> This e-mail and its attachments may contain confidential and
> privileged information only intended for the person or entity to which
> it is addressed. If the reader of this message is not the intended
> recipient, you are hereby notified that any retention, dissemination,
> distribution or copy of this e-mail is strictly prohibited. If you
> have received this e-mail in error, please notify us immediately by
> reply e-mail and immediately delete this message and all its attachment.
>
> On Mar 5, 2008, at 11:22 AM, Henning Markussen wrote:
>
>> So it doesn't look like this is the way ...
>> Any other way to find out if it is a recursive request?
>>
>> - Henning
>>
>> Jeff Reasoner wrote:
>>> I don't know that the other categories are material to what you're
>>> trying to achieve. The logs will contain the source IP and query
>>> regardless of whether it was for in-zone (authoritative) data or
>>> answered out of cache.
>>>
>>> I did the same thing last summer with 9.4.1-P1 and the following in
>>> named.conf:
>>>
>>> channel bind-queries {
>>> file "/var/log/queries.log" versions 10 size 6m;
>>> severity info;
>>> };
>>>
>>> I also did some backend scripting to pull out the unique source IPs
>>> so I
>>> knew who I had to contact about changes.
>>>
>>> On Mon, 2008-03-03 at 22:58 +0100, Henning Markussen wrote:
>>>> Hi
>>>>
>>>> I'm trying to close down some DNS servers that currently are open to
>>>> recursive requests.
>>>> They are ruining bind 9.2.4
>>>>
>>>> In this process my plan was to determine what clients are using the
>>>> servers as recursive name servers.
>>>>
>>>> I've found the category resolver, client and queries
>>>>
>>>> queries logs the queries ok - but nothing gets into the resolver or
>>>> client category
>>>>
>>>> channel queries_log {
>>>> file "/var/log/queries.log" versions 5 size 5m;
>>>> print-time yes;
>>>> severity dynamic;
>>>> };
>>>>
>>>> channel resolver_log {
>>>> file "/var/log/resolver.log" versions 5 size 5m;
>>>> print-time yes;
>>>> severity dynamic;
>>>> };
>>>>
>>>> channel client_log {
>>>> file "/var/log/client.log" versions 5 size 5m;
>>>> print-time yes;
>>>> severity dynamic;
>>>> };
>>>>
>>>> category client { client_log; };
>>>> category queries { queries_log; };
>>>> category resolver { resolver_log; };
>>>>
>>>> Is there a category where I can log if a request is to the
>>>> authoritative
>>>> or to the recursive, or am I just not using the categories correct?
>>>>
>>>> Thank you for any input or ideas
>>>>
>>>> - Henning
>
>
More information about the bind-users
mailing list