BIND: enabling logging of denied queries

bindlogging

Im trying to get bind 9.11 (default on CentOS 8) to log queries, wich could not been answered or that lists clients that constantly querying the server, but are not allowed to.

Finally I want to use this logging to feed it to fail2ban and block those "idiots".

The server is a primary NS responsible to answer queries about domains its holds, but nothing more.

First I tried to log everything, like described in https://kb.isc.org/docs/aa-01526 even with full debug level, but never found a logline including the word "denied" or similar, except when somebody asked for a complete zone transfers (wich are surely only allowed from the secondary NS) like this:

27-Aug-2020 11:40:47.317 client @0x7fd284052510 94.102.208.167#51041 (somedomain.com): zone transfer 'somedomain.com/AXFR/IN' denied

When asking the server with a query for a name he is not responsible for, the client gets an:

dig @ns.mydomain.com www.disney.com
Non-authoritative answer:
*** Can't find www.disney.com: No answer

what is right, but bind only logs something like this:

27-Aug-2020 11:43:27.741 queries: info: client @0x7fd2840bf440 1.2.3.4#34369 (www.disney.com): query: www.disney.com IN A + (x.x.x.x)

which gives me no clue, what kind of answer was send to the client.

Current config is:

logging {
        channel "my_queries" {
                file "/var/log/named.queries" versions 600 size 20m;
                print-time yes;
                print-category yes;
                print-severity yes;
                severity dynamic;
        };
        channel "security_file" {
                file "/var/log/named.security";
                severity dynamic;
                print-time yes;
        };
        category "queries" { "my_queries"; };
        category client { "security_file"; };
        category security { "security_file"; };
        category lame-servers { null; };
};

So: how can I create logentries for clients that where not allowed to ask the server in the first place ?

Best Answer

In my case I see :

27-Aug-2020 13:33:17.170 security: info: client @0x7f88b57bdf90 192.168.10.165#18237 (www.google.com): view 192.168.10.0/24: query (cache) 'www.google.com/AAAA/IN' denied
27-Aug-2020 13:33:17.170 query-errors: info: client @0x7f88b57bdf90 192.168.10.165#18237 (www.google.com): view 192.168.10.0/24: query failed (REFUSED) for www.google.com/IN/AAAA at ../../../bin/named/query.c:7144

My configuration is (in /etc/bind/named.conf.options) :

logging {
  channel replace_syslog {
    file "/var/log/bind/named.log" versions 5 size 2m;
    severity info;
    print-time yes;
    print-category yes;
    print-severity yes;
    };
  category default { replace_syslog; default_debug; default_syslog ; };
  category lame-servers { null; };
  channel query.log {
    file "/var/log/bind/query.log" versions 2 size 2M;
    severity debug 3;
    print-time yes;
  };
  category queries { query.log; };
};

Related Solutions

Any way to filter IP’s when logging queries? (BIND 9.3)

I do not think there is any way that you can configure bind to do the filtering you want.

I can think of two ways you could achieve the result I believe you want.

Setup bind query logging, keep only 1 versions, and reduce the size of the logs you are keeping.

Leave a command like below running to constantly monitor changes to the query log and store the information you want to save to a separate file.

tail --follow --retry /var/named/data/queries.log \
      | grep 'ip.ad.dd.res' > /var/named/data/queries_ip.ad.dd.res.log

The second method would be to just use tcpdump to capture all incoming requests from that host. You would use a command like this.

tcpdump -n dst port 53 and src host ip.ad.dd.res > /var/log/dns_ip.ad.dd.res.log

Log specific queries on Bind 9

Put the right sort of channel stanza in your logging{} block in named.conf.

        channel "client" {
            file "/var/log/client_named.log";
            severity info;
            print-time yes;
        };

would probably do the trick. That should get you this sort of data:

22-Apr-2011 12:06:53.294 client xxx.xxx.xxx.xxx#56202: view external-in: query: st.in.multi.surbl.org IN A +

EDIT: Warning - enabling this sort of logging will generate very large log files very quickly, and could easily fill up your disk without having some sort of log rotation/compression, and is probably best suited to a brief data-gathering session, rather than a permanent configuration.

If that (along with post-processing the resulting log file) is too much, you could do this using a tool like tcpdump.

tcpdump -i eth0 dst port 53 | egrep 'A' | egrep 'xyyzyy.com'

or even better, writing a filter to match on only the right bits of the DNS packet that you want to filter on (the A? type in this case)

Probably easier, though, is to use a tool like dnstop. dnstop webpage will do all the protocol decoding for you, and IIRC you can filter it's output using -n to limit what it captures to a single domain.

Best Answer

Related Solutions

Any way to filter IP’s when logging queries? (BIND 9.3)

Log specific queries on Bind 9

Related Topic