How to Log BIND Queries on Ubuntu 12.10

I’ve been troubleshooting some pretty large networks lately, and since DNS underpins most enterprise networks it’s very useful to see what traffic is going through the DNS servers.  By default Ubuntu doesn’t log every query, and I can understand why.  The average home network generates 100’s of DNS queries an hour, enterprise networks generate magnitudes of scale more.

Option 1 – Quick and Dirty

You can quickly turn on logging by typing in the following into the server shell:
rndc querylog
Then you can follow the information in the standard syslog.
tail -f /var/log/syslog
You should see output like the following letting you know that queries are now logged:

Sep 14 22:23:20 ns01.companya.local named[7896]: query logging is now on

Option 2 – Full and Stored Logs

If you want to store full logs that you can go back to at a later date you’ll need to make some changes to the BIND configuration.
Logon to your shell as usual, and type the following:
nano /etc/bind/named.conf
Put in the following code at the bottom:
logging {
channel query.log {
file "/var/log/query.log";
severity debug 3;
};
category queries { query.log; };
};

Now we need to create the log:
touch /var/log/query.log
Make it writable by the BIND process:
chown named.named /var/log/query.log
Give BIND a reboot:
service bind9 restart
And now you should be able to follow the queries as any other log:
tail -f /var/log/query.log
 

13 Comments on "How to Log BIND Queries on Ubuntu 12.10"

  1. M says:

    I am running bind9 on a Backtrack machine. I have the following files in my /etc/bind/
    named.conf
    named.conf.local
    named.conf.options
    named.conf.default-zones

    I tried to add the logging code in each of the files one by one, but if the logging code is present, the bind9 service would not start.
    Can you guide me where exactly to add the logging code?

    • gyp says:

      Hi M,

      This is the contents of my “named.conf”, hope it helps.

      Also have you made sure that there is the appropriate permissions on the log file itself? (ie /var/log/query.log.)

      Gyp

      // This is the primary configuration file for the BIND DNS server named.
      //
      // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
      // structure of BIND configuration files in Debian, *BEFORE* you customize
      // this configuration file.
      //
      // If you are just adding zones, please do that in /etc/bind/named.conf.local
      include “/etc/bind/[redacted].conf”;
      include “/etc/bind/named.conf.options”;
      include “/etc/bind/named.conf.local”;
      include “/etc/bind/[redacted].conf”;
      include “/etc/bind/named.conf.default-zones”;
      include “/etc/bind/[redacted].conf”;

      logging {
      channel query.log {
      file “/var/log/query.log”;
      severity debug 3;
      };
      category queries { query.log; };
      };

  2. M says:

    Hello gyp.
    Thanks for the help!

    I configured my named.conf file as you described. Have set proper permissions on the query.log file.
    I tried to dig, ping and access some sites throught my browser from a different machine as well as the same machine.
    All the queries are successful, but they are not logged in the query.log file.

    Yesterday I had configured the following:
    #rndc querylog
    and then I was able to see the queries in the file /var/log/syslog. But afterwards, the logging in that file also stopped. None of the queries are logged in syslog or the newly configured query.log files.

    Please let me know if there are any further changes to be made. I configured as you had described, but dig from same or different machines does not log any queries.

    Thanks in advance.

    • M says:

      Also, I need to mention that I have set forwarders in named.conf.options file. The forwarders are the nameservers of google, 8.8.8.8.
      I believe that if my local DNS is unable to resolve the query, it will forward it to the google nameservers. Is that true?

    • gyp says:

      Hi M,

      Glad to help 🙂

      Hmmm, strange one. If you do an “nslookup” and then “server [the DNS server IP]”, and then try a query that way does it work? Does it log?

      I assume you’ve done “service bind9 restart” too? Since you can turn on the query log it seems to not be a permissions issue, but more of a configuration one.

      Do you have any pertinent log entries in “/var/log/syslog”?

      As for your question about DNS forwarders yes that’s right. You can manually set a DNS forward address which will then send all unresolved queries to the addresses you specify. By default if you leave that out then BIND will try and query the root DNS servers. To be fair root lookups is my preferred method, but dependent on bandwidth limitations Google DNS may be the better option.

      I will load up Backtrack later on and see if I can replicate the issues you are having 🙂

      Gyp

  3. M says:

    Hey Gyp.

    Yes, I had performed nslookup with the specific server address. The queries were not logged.
    Also, I had done reloading and restarting the bind server many times.

    You are right, I dont think there are any permission issues – because when the querylog file did not have sufficient permissions, the bind failed to start. Now that I have given permissions, the bind starts successfully, performy query resolution successfully (dig, nslookup, ping, browser sacess) but the queries are not logged.

    I did not find any significant entries in /var/log/syslog. Infact, I think it has stopped logging every bind/dns related query since yesterday.

    It was logging the queries from clients in syslog, but when yesterday from a different machine I pinged google.com, the logging of queries stopped, with the last query being
    Date, named[2899]: client ip#46344: query: safebrowsing.clients.google.com IN A + (server ip)

    I tried my best to solve the problem of query logging, but no matter how much I try, its not logging queries at any place.
    Would be grateful if you can help.

  4. M says:

    Finally, the problem is resolved!

    syslog helped me – it showed that /var/log/query.log is not found
    Hence I checked on net for the issues. The solution was to create the query file at
    /var/lib/named/var/log/query.log

    Then set bind as the owner of the file:
    #chown bind query.log

    It resolved my problem. The queries are logged in my query.log, though they are not logged in syslog as they happened to get logged before, but I am satisfied with my query.log.

    🙂

    • gyp says:

      Hi M,

      Great news and well done 🙂

      I’d imagine that running the temporary log command ran it as root which had access to the file. However the BIND service didn’t have the necessary permission.

      Well done again 🙂

      Gyp

  5. M says:

    Thank you Gyp!

  6. Coolcat says:

    I used the logging tutorial above and discovered my dns server would not restart! The reason was that I cut and pasted the text shown above. Unfortunately, bind9 chokes without any error message on the matched quotes in this line:

    file “/var/log/query.log”;

    Changing them to standard quote marks got it working!

    Btw, I decided to put the logging commands in a separate file so I could just add this to the end of named.conf:

    include “/etc/bind/named.logging.options”;

    This way, I can just // comment out the include line and restart bind9 to disable logging instead of commenting 7 lines or deleting them and keeping the code snippet somewhere.

    Thanks again, gypthecat!

    • gyp says:

      Hi Coolcat,

      Thanks for dropping by and sorry for the tardy reply.

      Sorry it didn’t work out for you, but thank you for the tips, I think I have fixed the formatting issues above 🙂

      Gyp

Got something to say? Go for it!