No subject
Tue Apr 2 00:56:56 UTC 2013
> the BIND ARM:
>
> """""""""""""
> Specify where queries should be logged to.
>
> At startup, specifing the category queries will also enable query
logging
> unless querylog option has been specified.
>
> The query log entry reports the client's IP address and port number. The
> query name, class and type. It also reports whether the Recursion
Desired
> flag was set (+ if set, - if not set), EDNS was in use (E) or if the
query
> was signed (S).
>
> client 127.0.0.1#62536: query: www.example.com IN AAAA +SE
> client ::1#62537: query: www.example.net IN AAAA -SE
> """""""""""""""
>
> Notice the "+" or "-" sign.
And if you are interested, here is a perl snippet with a regex that will
catch a recursive query for an IPV4 address. The IP address of the
offending host will be available in the read-only variable $4 after a
successful match.
open QLOG, "query.log";
while (<QLOG>) {
# skip blanks and comments (should not be any though)
next if /^\s*#/;
# clean up trailing new lines
chomp;
# check to see if we have a recursive query
if (/(^\s*)(client)(\s+)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(.*)(\+)(.*)/)
{
print "$4 performed a recursive query. Contact the admin and
notify them of the new servers to be used.\n";
}
}
hth,
Dave...
[clip...]
More information about the bind-users
mailing list