In BIND 8.2 running on Solaris 8, how to start logging
Mike Hoskins (michoski)
michoski at cisco.com
Fri Jun 27 17:19:56 UTC 2014
-----Original Message-----
From: Samad Agha <samad.agha2007 at gmail.com>
Date: Friday, June 27, 2014 at 1:07 PM
To: "bind-users at lists.isc.org" <bind-users at lists.isc.org>, DNS BIND
<bind-users at isc.org>
Subject: In BIND 8.2 running on Solaris 8, how to start logging
>Hi All,
>I have two Solaris 8 servers running BIND 8.2. I'd like to retire them
>both and transfer everything to a couple of RHEL 7 boxes. The City (I
>work for a mid-size California city) has outsourced different aspects of
>our DNS that I even lost track and have
> no idea what these two DNS servers serve. I'd like to start logging all
>queries on these two boxes to know who queries them. How do I start a
>comprehensive logging to capture all transactions going through these two
>servers?
>
>Please advise; please be thorough and don't assume anything. Many thanks
>in advance.
I see two options:
Enable query logging. In your named.conf, do something like:
logging {
channel my_querylog {
file "/var/adm/query.log" versions 5 size 10m;
print-time yes;
};
category queries { my_querylog; };
};
Adjust paths, number of copies (versions) to keep, etc. Note that this
can fill quickly on busy servers.
Alternatively, use tcpdump to write a pcap of anything to 53/udp or 53/tcp
and analyze it after 1, 7, 30 or whatever days. Again, if the server is
busy you will get a very large file. You can limit the amount of time you
capture traffic, or rotate capture files with -C <size> e.g. tcpdump -i
eth0 -s0 -C 100 -w dnscap <filter> (you'll endup with dnscap1, dnscap2,
etc each 100MB in size).
Good luck, BIND 8.2 is ancient now so good to hear you are working to get
it updated.
More information about the bind-users
mailing list