Bind 9 query logging
David Forrest
drf at maplepark.com
Mon Feb 2 18:54:06 UTC 2009
On Fri, 30 Jan 2009, Robert Coward wrote:
> Sorry, I should have been a been a bit more specific. In reference to the O
> Reilly book:
>
> O' Reilly DNS and Bind by Paul Albitz & Cricket Liu (4th Edition)
> pg. 163 - 173 (specifically pg. 164, paragraph 4) and
> pg. 405 - 421 (info about using the debug options)
>
> The web sites I looked at were:
>
> http://www.bind9.net/manuals
>
> and
>
> http://www.zytrax.com/books/dns
>
> So reading your response the current version of Bind (9.6 I think) does not
> have the ability to log the responses.
>
>
> O Reilly DNS and Bind Paul Albitz & Cricket Liu
>
Using 9.6.0-P1, I enabled the querylogs option like this:
channel querylogs {
file "/var/log/dnsqueries" size 20m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category queries {querylogs; };
and it generated a quite large log file so I wrote a rather inefficient
bash script to distill it down to more readable format and end up with
this little query report:
Total A NS MX TXT PTR SOA SPF
External 740 310 1 353 2 0 73 0
Internal 33504 23758 1545 1222 5533 1445 0 0
Totals 34244 24068 1546 1575 5535 1445 73 0
Other packets: (if any not detailed)
01-Feb-2009 13:34:27.796 queries: info: client64.246.42.203#40986: view external: query: maplepark.com IN IXFR -
02-Feb-2009 11:32:54.799 queries: info: client 192.168.102.95#53722: view internal: query: _ldap._tcp.dc._msdcs.maplepark.com IN SRV +
DDos ( . IN NS) attacks follow: (if any)
(Note: I don't get any of these anymore as I have them dropped at the
firewall. They amount to about 1000 per day, and demanded some sort of
attention to make my logs readable.)
The script via cron runs daily mailing the output and it serves my
purposes for a very small office network.
--
David Forrest
St. Louis, Missouri
More information about the bind-users
mailing list