Can Query Logging in bind9 go to a Separate File?
Martin McCormick
martin at dc.cis.okstate.edu
Wed Oct 1 13:52:01 UTC 2008
We've got a busy DNS that sometimes receives 1-million
queries per hour so I am going at this _carefully_. The object
here is to save a minute or so's worth of queries and then check
to see if certain systems have made queries. This sounds like an
Orwellian scheme, but the idea is to listen for silence. If our
9 Microsoft Exchange servers haven't asked bind for something in
a minute, probably much less, something is terribly wrong. This
could be either with the servers themselves or the network
connection giving them access to the DNS. Right now, I am not
worried about that. I would like to have a stream or file of
nothing but queries to essentially grep it for client addresses.
If we see them, the servers are doing something. If not, raise
the alarm!
I turned query logging on on a test system and did a
couple of queries and the log entry is what we need but it is
also in the same log file as zone transfers and updates. On our
busy DNS, I would like to capture the query logs, check them for
the addresses of critical systems, and then discard them as this
could be like filling up thimbles from a fire hose.
The other possibility might be to set up a slave DNS or
slaves to serve only those systems we are monitoring but that
starts to possibly introduce more chances for mishaps than it
would prevent. The older I get, the more I hate needless
complexity. It makes it harder to fix at 3 o'clock in the
morning when the phone rings.
Thanks for any ideas, especially on whether it is
possible to isolate just queries in somewhat the same way the
security log is handled.
Martin McCormick WB5AGZ Stillwater, OK
Systems Engineer
OSU Information Technology Department Telecommunications Services Group
More information about the bind-users
mailing list