Separate log setting per view in bind

binddomain-name-system

I setup a view in bind to provide different results for VPN users but I do not provide other queries so that non-vpn queries will fail and route back to their internal network dns server(s). It is working fine but I'm getting tired of all the query "denied" messages filling up the syslog.

I tried putting a logging { }; section within the view but bind complained. Any thoughts on how I can separate the security messages out for this particular view?

Best Answer

It's not possible to specify a logging statement per view. However, if you use syslog logging with syslog-ng you can filter out the messages by using a filter.

filter f_no_named_denied {
   not match (regex for the message here);
};

Then apply this filter to whichever rule that you use for DNS logs.

Related Solutions

BIND – How to Open Debug Logging on Ubuntu

How to see what's going on:

To view what the server is doing live, if you have rndc configured run rndc trace x (where x is the debugging level you want to view).
To view what the server is doing live without rndc you'll have to run the server in foreground mode named -g -d x (where x is again is the debug level).
To configure logging to a file, open named.conf and edit/add a logging section such as:
```
logging {
        channel default_file {
                file "/var/log/named.log" size 10m;
                severity info;
                print-time yes;
                print-severity yes;
                print-category yes;
        };
        category default{ default_file; };
};
```
Note that this configures the logging for "info" level and higher. This dumps quite a bit of information for a live server. Possible values include "extra", "debug", "info", "error", "fatal", and "dynamic" (a value for -d must be provided on the command line for dynamic).

What's wrong with your server:

Your server is looping back to itself while trying to recursively resolve the domain. Since this is only happening for one domain that you know if, it's likely a problem in your hosts file or in your named.conf file (probably the latter).

Getting request failed: duplicate query is almost always a problem with a forwarders directive that loops back to the server or something similar.

RHEL BIND Server Intermittent error

There's a RH KB article which says this happens when the cache expires, but still contains IPv6 information (they're pretty vague in the root cause).

They suggest disabling IPv6 support, if that's an option.

add OPTIONS="-4" to /etc/sysconfig/named

Best Answer

Related Solutions

BIND – How to Open Debug Logging on Ubuntu

RHEL BIND Server Intermittent error

Related Topic