Any way to filter IP’s when logging queries? (BIND 9.3)

binddomain-name-systemfilteriplogging

I would like to record queries to my DNS from a particular ip. Is this possible?

Right now I have this:

channel query_log {
                file "/var/named/data/queries.log" versions 2 size 1G;
                severity debug 3;
                print-category yes;
                print-severity yes;
                print-time yes;
        };

category queries { query_log;};

As you may imagine, the file "queries.log" grows at an extremely fast rate on our busy network. I just would like to log the queries from a particular ip. Is there a way to do this using any channel option? I thought about creating a separate view (to match the host I want to record) but you can oly have one "logging" option in named.conf (not inside the views) 🙁

Thanks.

Best Answer

I do not think there is any way that you can configure bind to do the filtering you want.

I can think of two ways you could achieve the result I believe you want.

Setup bind query logging, keep only 1 versions, and reduce the size of the logs you are keeping.

Leave a command like below running to constantly monitor changes to the query log and store the information you want to save to a separate file.

tail --follow --retry /var/named/data/queries.log \
      | grep 'ip.ad.dd.res' > /var/named/data/queries_ip.ad.dd.res.log

The second method would be to just use tcpdump to capture all incoming requests from that host. You would use a command like this.

tcpdump -n dst port 53 and src host ip.ad.dd.res > /var/log/dns_ip.ad.dd.res.log

Related Solutions

Log specific queries on Bind 9

Put the right sort of channel stanza in your logging{} block in named.conf.

        channel "client" {
            file "/var/log/client_named.log";
            severity info;
            print-time yes;
        };

would probably do the trick. That should get you this sort of data:

22-Apr-2011 12:06:53.294 client xxx.xxx.xxx.xxx#56202: view external-in: query: st.in.multi.surbl.org IN A +

EDIT: Warning - enabling this sort of logging will generate very large log files very quickly, and could easily fill up your disk without having some sort of log rotation/compression, and is probably best suited to a brief data-gathering session, rather than a permanent configuration.

If that (along with post-processing the resulting log file) is too much, you could do this using a tool like tcpdump.

tcpdump -i eth0 dst port 53 | egrep 'A' | egrep 'xyyzyy.com'

or even better, writing a filter to match on only the right bits of the DNS packet that you want to filter on (the A? type in this case)

Probably easier, though, is to use a tool like dnstop. dnstop webpage will do all the protocol decoding for you, and IIRC you can filter it's output using -n to limit what it captures to a single domain.

DNS – bind9 chroot jail – logging all queries

You can't use symlinks in the chroot jail that point outside of the jail - the symlinks get interpreted relative to the new root directory.

So your link:

# ln -s /var/log/query.log /var/chroot/bind9/var/log/query.log

when run chroot('/var/chroot/bind9') ends up pointing back to itself!

Best Answer

Related Solutions

Log specific queries on Bind 9

DNS – bind9 chroot jail – logging all queries

Related Topic