DNS (BIND named) logging for specific record

Is it possible to check for a specific record?
What I want is to see which IPs are trying to resolve a certain CNAME record, so I can tell these customers to update their records.
redworksAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

muffCommented:
No.  But you could just log everything, then search the logs for what you need.
redworksAuthor Commented:
How do I do this then? I can't seem to find that option.
redworksAuthor Commented:
How do I log "everything"?
I want to see who tries to connect to a certain A record...
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

muffCommented:
Try adding this to your config:

logging{
  channel simple_log {
    file "/var/log/named/bind.log" versions 3 size 5m;
    severity info;
    print-time yes;
    print-severity yes;
    print-category yes;
  };
  category client {
    simple_log;
  };
};
redworksAuthor Commented:
I did this, it does not seem to add anything to the file.. I chowned it named:named and chmod 660.
muffCommented:

Can you try changing "client" to "default".  This should emit some logs.

Thanks.
redworksAuthor Commented:
still... nothing...
muffCommented:
Did you change ownership of the /var/log/named directory as well as the file within it?  In fact, it would be better to change ownership of the directory, and delete the file, then let bind create the file itself.

That way we could at least see if bind is at least attempting to access the file if it gets created.

And named is definitely the user that bind is running as?

If there are issues, you'll see them in /var/log/messages or /var/log/syslog
redworksAuthor Commented:
My bad. I was running a chroot. I created it in there, now it gives:
"May 28 16:51:49 www named[26016]: logging channel 'simple_log' file '/var/log/named/bind.log': permission denied
May 28 16:51:49 www named[26016]: isc_log_open '/var/log/named/bind.log' failed: permission denied"

While the permissions are named (correct) and even chmodded 666!
muffCommented:
Where are you seeing the errors if the bind.log cannot be written to?

If it is in the non-chroot /var/log/[somethning] then it is attempting to write to the non-chroot location I guess?  So before it gets chrooted...
redworksAuthor Commented:
I have both files. Nonchroot and chroot. same permissions.
both fail.
muffCommented:

This would be difficult to diagnose without taking a look at your setup.  I'd suggest running it outside of a chroot to see if it can write to the log file.

You confirmed that

  <chroot>/var/log/named is owned by named as well as <chroot>/var/log/named/bind.log right?

Did you try deleting the file and letting bind created as suggested?
redworksAuthor Commented:
Deleted. Tried to recreate it as you suggested, nothing. Same error.
muffCommented:
You confirmed that

  <chroot>/var/log/named is owned by named as well as <chroot>/var/log/named/bind.log right?
muffCommented:
(I am putting each suggestion or question in a separate post as they seem to be missed otherwise)

I'd suggest running it outside of a chroot to see if it can write to the log file.
redworksAuthor Commented:
Correct. Yes, I did. fails
muffCommented:
You are running this outside a chroot, with the log pointing to a file in a directory that has the same ownership as the process owner and it gets a permission failure?

If you have confirmed all of this, then your filesystem is corrupt.  I would double check if I were you.

I gather from the minimal responses that you are somehow unhappy with the progress you are getting with this question so I shall leave it to someone else to help further.
redworksAuthor Commented:
Ah it seems to work. CHMOD *must* be 750?...
anyway... both "default" as "client" do not show it when someone resolves an A-record...
and this is kinda what I want... I want to see when someone calls a specific A-Record...
muffCommented:
Right, great, logging at least!

Ok, the best bet would be to alter the severity to dynamic

Then when you want to enable more detailed logging, you can do

   rdnc trace

This will bump the logging level to debug 1, debug 2, debug 3 each time it is called.  Debug 1 should be enough to see A records being resolved.  

   rndc trace 0

To get it back to normal (this command may be 'ndc' on some distros).

If you tail -f the log while doing it, you should be able to see it bump up, and the queries begin logging.

muffCommented:

Oh, and if you would like queries logged to a separate file you need a different channel set up pointing at a different file, then the category is "queries" not "client" (my mistake).
redworksAuthor Commented:
I actually ended up doing this:
named.conf
------
logging{
  channel query_logging {
    file "/var/log/named/bind.log" versions 3 size 5m;
    severity debug 3;
    print-time yes;
    print-severity yes;
    print-category yes;
  };
  category queries {
    query_logging;
  };
};
------

and then run
 rndc querylog

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
muffCommented:

Or you could do it that way.

Show some appreciation.
redworksAuthor Commented:
I am greatful for your assistance. But, in all honesty, the solution provided was not the solution for my question.
muffCommented:
If you tried it you would have seen it did exactly what you needed.  

Were you aware of the logging parameters and rdnc prior to this question being asked?  Seems unlikely you would have asked the question in the first instance if you were.

Appreciation is for allocating points to those who who put time and effort in to help you along your path and guide you to the answer as well as actually providing it.

How does revoking points encourage me to help others if I do 90% of the work, and the Asker does the final 10% and then revokes the question?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.