How to Log BIND Queries on Ubuntu 12.10
I’ve been troubleshooting some pretty large networks lately, and since DNS underpins most enterprise networks it’s very useful to see what traffic is going through the DNS servers. By default Ubuntu doesn’t log every query, and I can understand why. The average home network generates 100’s of DNS queries an hour, enterprise networks generate magnitudes of scale more.
Option 1 – Quick and Dirty
You can quickly turn on logging by typing in the following into the server shell:
rndc querylog
Then you can follow the information in the standard syslog.
tail -f /var/log/syslog
You should see output like the following letting you know that queries are now logged:
Sep 14 22:23:20 ns01.companya.local named[7896]: query logging is now on
Option 2 – Full and Stored Logs
If you want to store full logs that you can go back to at a later date you’ll need to make some changes to the BIND configuration.
Logon to your shell as usual, and type the following:
nano /etc/bind/named.conf
Put in the following code at the bottom:
logging {
channel query.log {
file "/var/log/query.log";
severity debug 3;
};
category queries { query.log; };
};
Now we need to create the log:
touch /var/log/query.log
Make it writable by the BIND process:
chown named.named /var/log/query.log
Give BIND a reboot:
service bind9 restart
And now you should be able to follow the queries as any other log:
tail -f /var/log/query.log
13 Comments
I am running bind9 on a Backtrack machine. I have the following files in my /etc/bind/
named.conf
named.conf.local
named.conf.options
named.conf.default-zones
I tried to add the logging code in each of the files one by one, but if the logging code is present, the bind9 service would not start.
Can you guide me where exactly to add the logging code?
Hi M,
This is the contents of my “named.conf”, hope it helps.
Also have you made sure that there is the appropriate permissions on the log file itself? (ie /var/log/query.log.)
Gyp
Hello gyp.
Thanks for the help!
I configured my named.conf file as you described. Have set proper permissions on the query.log file.
I tried to dig, ping and access some sites throught my browser from a different machine as well as the same machine.
All the queries are successful, but they are not logged in the query.log file.
Yesterday I had configured the following:
#rndc querylog
and then I was able to see the queries in the file /var/log/syslog. But afterwards, the logging in that file also stopped. None of the queries are logged in syslog or the newly configured query.log files.
Please let me know if there are any further changes to be made. I configured as you had described, but dig from same or different machines does not log any queries.
Thanks in advance.
Also, I need to mention that I have set forwarders in named.conf.options file. The forwarders are the nameservers of google, 8.8.8.8.
I believe that if my local DNS is unable to resolve the query, it will forward it to the google nameservers. Is that true?
Hi M,
Glad to help 🙂
Hmmm, strange one. If you do an “nslookup” and then “server [the DNS server IP]”, and then try a query that way does it work? Does it log?
I assume you’ve done “service bind9 restart” too? Since you can turn on the query log it seems to not be a permissions issue, but more of a configuration one.
Do you have any pertinent log entries in “/var/log/syslog”?
As for your question about DNS forwarders yes that’s right. You can manually set a DNS forward address which will then send all unresolved queries to the addresses you specify. By default if you leave that out then BIND will try and query the root DNS servers. To be fair root lookups is my preferred method, but dependent on bandwidth limitations Google DNS may be the better option.
I will load up Backtrack later on and see if I can replicate the issues you are having 🙂
Gyp
Hey Gyp.
Yes, I had performed nslookup with the specific server address. The queries were not logged.
Also, I had done reloading and restarting the bind server many times.
You are right, I dont think there are any permission issues – because when the querylog file did not have sufficient permissions, the bind failed to start. Now that I have given permissions, the bind starts successfully, performy query resolution successfully (dig, nslookup, ping, browser sacess) but the queries are not logged.
I did not find any significant entries in /var/log/syslog. Infact, I think it has stopped logging every bind/dns related query since yesterday.
It was logging the queries from clients in syslog, but when yesterday from a different machine I pinged google.com, the logging of queries stopped, with the last query being
Date, named[2899]: client ip#46344: query: safebrowsing.clients.google.com IN A + (server ip)
I tried my best to solve the problem of query logging, but no matter how much I try, its not logging queries at any place.
Would be grateful if you can help.
Finally, the problem is resolved!
syslog helped me – it showed that /var/log/query.log is not found
Hence I checked on net for the issues. The solution was to create the query file at
/var/lib/named/var/log/query.log
Then set bind as the owner of the file:
#chown bind query.log
It resolved my problem. The queries are logged in my query.log, though they are not logged in syslog as they happened to get logged before, but I am satisfied with my query.log.
🙂
Hi M,
Great news and well done 🙂
I’d imagine that running the temporary log command ran it as root which had access to the file. However the BIND service didn’t have the necessary permission.
Well done again 🙂
Gyp
Thank you Gyp!
Yet you can analyze this log using this software
https://github.com/mcdir/statdnslog, see http://statdns.nedze.com/
Looks interesting, I’ll have to have a look 🙂
I used the logging tutorial above and discovered my dns server would not restart! The reason was that I cut and pasted the text shown above. Unfortunately, bind9 chokes without any error message on the matched quotes in this line:
file “/var/log/query.log”;
Changing them to standard quote marks got it working!
Btw, I decided to put the logging commands in a separate file so I could just add this to the end of named.conf:
include “/etc/bind/named.logging.options”;
This way, I can just // comment out the include line and restart bind9 to disable logging instead of commenting 7 lines or deleting them and keeping the code snippet somewhere.
Thanks again, gypthecat!
Hi Coolcat,
Thanks for dropping by and sorry for the tardy reply.
Sorry it didn’t work out for you, but thank you for the tips, I think I have fixed the formatting issues above 🙂
Gyp