Logging statements w.r.t. view in Bind 9.16.18

Chris Buxton clists at buxtonfamily.us
Tue Aug 24 15:35:10 UTC 2021 

The rationale to separate recursive and non-recursive (typically authoritative) services as you describe is largely to do with separating logging, exactly as in this use case. There are also reasons of performance sometimes, but it doesn’t sound like this fits that reason.

You could also see these queries from the outside world with dnstap or similar, logging packets possibly without even involving named. You certainly would not need a view for that. If your clients are not hitting your public address, you could also tell named not to listen on the public address, so that those queries to the public address would be ignored by the operating system. Or you could use iptables, perhaps, to filter out those queries from the public (and even log them…).

As you noted in your initial message, though, logging is global, not per-view. You either have to prevent named from seeing them, or perhaps live with the log messages from that public view. Perhaps your SIEM (if you use one) could split the data based on the view name in the log messages.

Regards,
Chris Buxton

> On Aug 24, 2021, at 7:44 AM, Gaurav Kansal <gaurav.kansal at nic.in> wrote:
> 
> Hi Ged, 
> 
> Actually recursion is only enabled for selected set of users , using geo ip feature of bind.
> As server is on public IP, i have added PUBLIC view to log the users who are scanning/attempting to connect my server.
> 
> I hope i have explained my use case.
> 
> Thanks.
> 
> ----- Original Message -----
> From: bind-users at lists.isc.org
> To: bind-users at lists.isc.org
> Sent: Tuesday, August 24, 2021 5:37:35 PM
> Subject: Re: Logging statements w.r.t. view in Bind 9.16.18
> 
> Hi there,
> 
> On Tue, 24 Aug 2021, Gaurav Kansal wrote:
> 
>> I want a clarity whether we can have individual logging statement
>> per view basis ? Whatever i found on google, i think we can't.  My
>> use case for separate logging statement is as follows -
>> 
>> In my recursive server, i have 2 views, one for my internal clients
>> and one for Internet ; i am running Internet view just for catch
>> hold of scanning IPs (type of honeypot).
>> 
>> Syntax of 2 views are as follows -
>> 
>> view "INTRANET" {
>> match-clients { PRIVATE.SEGMENTS ; };
>> recursion yes;
>> };
>> 
>> view "PUBLIC" {
>> match-clients { any; };
>> allow-query { none; } ;
>> recursion no;
>> };
> 
> You have recursion turned off for PUBLIC.  As I understand it, the
> conventional wisdom is not to run recursive and non-recursive services
> on the same BIND instance.  Would it make sense then, in your case, to
> run two separate instances of BIND?  Separating logs is then trivial.
> 
> -- 
> 
> 73,
> Ged.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

More information about the bind-users mailing list