BIND – How to Open Debug Logging on Ubuntu

binddomain-name-systemUbuntu

I have a BIND server running on Ubuntu that is failing to lookup www.microsoft.com or any records at Microsoft. All other domains like google.com and yahoo.com seem to be working just fine. I am looking for some suggestions on how to improve logging to figure out why BIND is having problems with this domain.

I already am capturing the query channel into the default_syslog and see the queries coming to the server, but I don't see the result of the efforts of the BIND server in trying to find the IP address of these names.

Symptoms

> ping www.microsoft.com fails on lookup, indicates host is not found

> dig @A.B.C.D www.microsoft.com also times out, where A.B.C.D is the IP address of this internal DNS server.

other queries seem to work fine

At this time, I am using db.root for the root servers and have no forwarders setup in this configuration. I would expect this server to be determining the root servers of microsoft.com and then being able to find the records from there. Thank you for any suggestions on how to improve logging detail in BIND and where to look for the log messages.

Best Answer

How to see what's going on:

To view what the server is doing live, if you have rndc configured run rndc trace x (where x is the debugging level you want to view).
To view what the server is doing live without rndc you'll have to run the server in foreground mode named -g -d x (where x is again is the debug level).
To configure logging to a file, open named.conf and edit/add a logging section such as:
```
logging {
        channel default_file {
                file "/var/log/named.log" size 10m;
                severity info;
                print-time yes;
                print-severity yes;
                print-category yes;
        };
        category default{ default_file; };
};
```
Note that this configures the logging for "info" level and higher. This dumps quite a bit of information for a live server. Possible values include "extra", "debug", "info", "error", "fatal", and "dynamic" (a value for -d must be provided on the command line for dynamic).

What's wrong with your server:

Your server is looping back to itself while trying to recursively resolve the domain. Since this is only happening for one domain that you know if, it's likely a problem in your hosts file or in your named.conf file (probably the latter).

Getting request failed: duplicate query is almost always a problem with a forwarders directive that loops back to the server or something similar.

Related Solutions

Separate log setting per view in bind

It's not possible to specify a logging statement per view. However, if you use syslog logging with syslog-ng you can filter out the messages by using a filter.

filter f_no_named_denied {
   not match (regex for the message here);
};

Then apply this filter to whichever rule that you use for DNS logs.

Need to configure BIND server query logging with versions

Does anyone know how to get DNS Query logs, in a rotation of 3 files on a SLES 11 BIND server working? It doesn't seem like it should be anywhere near this much of a hassle.

It shouldn't be a hassle -- the syntax is straightforward and well-exercised (thousands and thousands of nameserver admins have use it.) It's theoretically possible but very unlikely you've found a new bug in it. Let's look at the more likely causes.

It never hurts to check your syntax first.. As explained in the BIND Administrator's Reference Manual (aka "ARM", a copy of the ARM appropriate to your BIND version is included with your BIND source or can be found at ISC's web site) 6.2.10, you should first define a channel, e.g.:

channel example_query_channel { 
   file "bind_query.log" versions 3 size 20m; 
   print-time yes;
   print-category yes;
};

then direct the category you are interested in logging (i.e. "queries") to that channel:

category queries {
   example_query_channel; 
};

You can use the named-checkconf utility that comes with BIND to check the syntax of your config file for errors before you try to restart BIND with it.

If that doesn't work for you, you have a filesystem permission problem of some sort and not a BIND problem specifically; BIND is being prevented somehow from writing to the file you have specified in its appropriate directory. Maybe you are dropping privileges to run as a non-root user and that user doesn't have -x perms to traverse all directories in the path from the filesystem root to the directory you are writing in, or maybe you don't have -w perms to write files in that directory. Or possibly you have another security layer (you mention AppArmor) which is complicating matters further.

Best Answer

Related Solutions

Separate log setting per view in bind

Need to configure BIND server query logging with versions

Related Topic