Im trying to get bind 9.11 (default on CentOS 8) to log queries, wich could not been answered or that lists clients that constantly querying the server, but are not allowed to.
Finally I want to use this logging to feed it to fail2ban and block those "idiots".
The server is a primary NS responsible to answer queries about domains its holds, but nothing more.
First I tried to log everything, like described in https://kb.isc.org/docs/aa-01526 even with full debug level, but never found a logline including the word "denied" or similar, except when somebody asked for a complete zone transfers (wich are surely only allowed from the secondary NS) like this:
27-Aug-2020 11:40:47.317 client @0x7fd284052510 94.102.208.167#51041 (somedomain.com): zone transfer 'somedomain.com/AXFR/IN' denied
When asking the server with a query for a name he is not responsible for, the client gets an:
dig @ns.mydomain.com www.disney.com Non-authoritative answer: *** Can't find www.disney.com: No answer
what is right, but bind only logs something like this:
27-Aug-2020 11:43:27.741 queries: info: client @0x7fd2840bf440 1.2.3.4#34369 (www.disney.com): query: www.disney.com IN A + (x.x.x.x)
which gives me no clue, what kind of answer was send to the client.
Current config is:
logging {
channel "my_queries" {
file "/var/log/named.queries" versions 600 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity dynamic;
};
channel "security_file" {
file "/var/log/named.security";
severity dynamic;
print-time yes;
};
category "queries" { "my_queries"; };
category client { "security_file"; };
category security { "security_file"; };
category lame-servers { null; };
};
So: how can I create logentries for clients that where not allowed to ask the server in the first place ?
Best Answer
In my case I see :
My configuration is (in
/etc/bind/named.conf.options
) :