how to log all recursive query responses?
Tom Greaser
tgreaser at hsc.wvu.edu
Wed Aug 6 12:11:48 UTC 2008
logging {
category lame-servers { null; };
channel default_syslog {
syslog local2;
severity info;
print-category yes;
print-severity yes;
};
category queries { default_syslog; };
};
>>> Kevin Darcy <kcd at chrysler.com> 08/06/08 12:30 AM >>>
David Sparks wrote:
> I wanted to turn on the responses BIND is giving out to recursive queries. I
> added the below to my named.conf but it didn't do anything. What does
> resolver log do?
>
> channel resolver_log {
> file "/var/log/resolver.log" versions 3 size 100M;
> severity info;
> print-category yes;
> print-severity yes;
> print-time yes;
> };
> category resolver { resolver_log; };
>
I think the "resolver" category is only intended for debugging, so you'd
need "severity dynamic" and a fairly high debug level to capture any
information, and the information you capture would basically only be of
interest to programmers wanting to know about the internal workings of
named's "resolver" code, e.g.
06-Aug-2008 00:22:35.053 resolver: debug 3: fctx 10054e420(./NS'):
answer_response
06-Aug-2008 00:22:35.053 resolver: debug 3: fctx 10054e420(./NS'):
cache_message
06-Aug-2008 00:22:35.053 resolver: debug 3: fctx 10054e420(./NS'):
clone_results
06-Aug-2008 00:22:35.053 resolver: debug 3: fctx 10054e420(./NS'):
cancelquery
06-Aug-2008 00:22:35.053 resolver: debug 3: fctx 10054e420(./NS'): done
06-Aug-2008 00:22:35.053 resolver: debug 3: fctx 10054e420(./NS'):
stopeverything
06-Aug-2008 00:22:35.053 resolver: debug 3: fctx 10054e420(./NS'):
cancelqueries
06-Aug-2008 00:22:35.053 resolver: debug 3: fctx 10054e420(./NS'):
sendevents
06-Aug-2008 00:22:35.053 resolver: debug 3: fetch 1003c66e0 (fctx
10054e420(./NS)): destroyfetch
If you want to capture the contents of the actual *packets* that named
is generating, I'd recommend a packet capture utility such as "tcpdump".
It's not too hard to restrict the captures to responses only, where the
RD flag in the header is set to 1 (indicating that the original query
was recursive). For the PC platform, there's also WireShark, but to be
honest, I haven't played much with its filtering capabilities.
- Kevin
More information about the bind-users
mailing list